Ninety-nine sections of data-protection legal-speak is enough to dampen the spirits of all but the most enthusiastic specialist, never mind the many small and medium-sized businesses trying to achieve the same thing without a dedicated Data Protection Officer.
But don’t worry. You are not alone.
Every organisation that controls or processes data within the EU needs to become GDPR compliant. When the legislation becomes active on 25th May, there will be a lot of people in the same position as you.
We are making that journey here at Nile. Here is a summary of what we have learned on our own GDPR compliance journey. Obviously, it isn’t legal advice but hopefully, it can help you with yours. If you haven’t already done so read, GDPR for Dummies, it’s an article we wrote last year that will give you a good contextual introduction to GDPR, the impact for businesses and some useful links.
What are we trying to achieve?
There’s no getting away from it, you need to know what is required to be GDPR compliant. This includes processes and policies around the new rights for the people whose data you are keeping or processing (data subjects).
Luckily, there are lots of handy GDPR summaries online that explain these rights as well as how the new legislation differs from its predecessor — the Data Protection Act. If you use a trusted online source, these can be very helpful.
Good things to do at this stage are:
- Establish the rights of the data subjects.
- Look at each article of the legislation that was relevant to us and create a list of the ‘things’ we needed in place for it. (i.e. a process, policy, and record).
There are 99 articles in the legislation but only around a third require specific action. (You may already have some of these in place)
Where does the journey start?
So, you’ve looked at where you are heading. Now you need to know where you are starting from, so you can plan your route.
For this, we carried out a data audit. We looked at what personal data we captured and how we recorded it.
Different departments will likely use different types of personal data, so you will need to explore with each one precisely what data they hold. Doing this also gives you the chance to spread the word about GDPR, so everyone knows it’s coming.
From the information you collect as part of this audit, you can create a ‘Data Inventory’. This will become a very useful tool, not only to become compliant but to assist you with GDPR related queries in the future.
We would suggest the following minimum content for your Data Inventory:
- What Data is held (i.e Name, address, image, website tracking analytics)
- Is it classed as sensitive data?
- How was the data obtained and for what purpose (i.e. subscribing to a newsletter, applying for a job)?
- Is the information shared with any other organisation, including outwith the EU?
- Where is that data stored (i.e. on a secure server, paper file?)
- The legal justification for processing the data. GDPR has 6 legal reasons for you to process personal data, if you can’t assign one of these reasons to any data in your inventory, you shouldn’t have it.
- Is a privacy statement required to obtain the data? Privacy statements are the point at which people have to consent access to their personal data.
- A retention schedule. Does that piece of data have a specified ‘shelf life’ before it needs to be deleted.
Once you have your inventory it will act as an easy reference point for the data you hold, how you obtained it and therefore how it should be used.
It will be a useful tool for more than just GDPR. It will also help your organisation to find data easily going forward, which could make life a lot easier if those data subject requests start coming in.
What changes do you need to make? — Seven focus areas
Every organisation will need to make different adjustments depending on what personal data they have stored and in what form. Outlined below is relevant for a company like Nile.
By applying the new data inventory and knowledge of what GDPR requires, you can map out what needs to be done.
1. New processes
Probably the most straightforward place to start is with the new rights for data subjects introduced by GDPR. You may not have a process or policy in place at the moment. Processes to assess include:
- Data Privacy Impact Assessments (DPIA) — These are now mandatory for projects that are “likely to result in a high risk to the rights and freedoms of natural persons”, so consider creating a slick new template or guidance for your projects.
- Subject access rights — People can request copies of any personal data you hold on them, so you’ll need to figure out how you do this. It needs to be in a commonly used, machine-readable format.
- Right to be forgotten — How do you remove personal data, if requested? This also extends to third parties when you have shared details, how do you ensure that they also remove the data.
- Opting out of data processing — If someone wants to remove their previously given consent, what do you do?
- Right to correction requests — How does someone request that you correct any inaccurate information on them?
- Right to restrict processing — How would you go about this?
- Right to object to processing — What do you do when someone requests this and you have to pause processing of any data relating to them.
- Issue Log — Under GDPR you will need to record when any of these actions are taken
2. Privacy statements and consent forms
This area has really been tightened. Your current consent capturing process may need to be revised. Your data inventory should now tell you where you currently capture consents. It is worth reviewing these and considering if you need to add new privacy statements to obtain consent for capturing data.
- Consent must be freely given, must specifically reference every intended use, be informed, unambiguous and easy to understand.
- The consent must be actively obtained by “some form of clear affirmative action”. It cannot be signified by inaction, silence or be a precondition to other actions.
- It must be as easy for a subject to withdraw consent, as to give it.
This all has an obvious impact on standard marketing practices, something Nile is working on right now.
You will also need to think about your contracts, particularly for contracts involving data processing outside the EU. Is GDPR built into these contracts? Your data inventory should make it easy to see when you share data outwith the EU.
Think about how you include GDPR compliance requirements in these contracts. Although it’s EU legislation, you can still be held accountable for the actions of your contractors outside the EU if they breach GDPR.
4. Special/sensitive data
Special data includes information such as ethnicity, political preferences, religious beliefs, trade union membership, genetic data, biometric data, health, and sexual orientation.
Your data inventory should also show you what, if any, special data you hold. In order to lawfully process special data, you must identify the lawful basis for processing the data (as you do with all the data you hold) but you also need a separate ‘condition’ for processing special category data. There are 10 conditions in Article 9 so use the one that applies to you.
You’ll also need to review your current data protection policies and update them to reflect the change to GDPR. If by now, you have created new processes, these will need to be supported by policies about when and how these new processes are implemented.
- Don’t just change the words ‘Data Protection Act’ to ‘GDPR’ in your data protection policy! Remember things like the timescales and responsibilities for reporting breaches and the amount you can be fined have all been updated.
6. Retention schedule
Your data inventory will show what data you hold. Why not use it to indicate how long that data should be kept?
Ensuring that you don’t keep personal data for longer than necessary means you are much less likely to breach GDPR. Plus, it can build efficiencies into your organisation so you are not storing anything unnecessarily.
We are creating a retention schedule as we think this represents good record management.
Tip: This is a great opportunity for a good clear-out of data you no longer need.
7. Awareness raising
So, you’re working hard creating new policies, updating procedures and generally nailing your GDPR compliance requirements. Brilliant. But don’t forget to keep the rest of your organisation informed.
They’re the ones who know how they use personal data. Keep the dialogue going. It is the best way to make sure you have everything covered.
You’ll also need to provide training/guidance on any new processes you’ve created. There is no point in having them if nobody follows them.
One way we managed this at Nile was to run a lunch session on GDPR, the changes we’re making and exploring areas we may have overlooked with the wider team. A good tip is to record the session and share via internal comms channels so absent team members and future team members can share the same knowledge.
And don’t just look internally, let your clients know too. They’ll appreciate that you are looking after their
Are we there yet?
Still with us? Great! So far we’ve covered: data inventory, new processes and supporting policies, a retention schedule to streamline our data and the team has been briefed. Are we all done?
Well, we reckon all of this work will ensure you meet the standards set out in GDPR but don’t just take our word for it. The Information Commissioner’s Office (ICO) has a handy health check you can go through. It will highlight anything you’ve missed in preparation for 25th May 2018.
So, best of luck on your journey. It may seem like a chore but the scale and speed we now collect personal data makes enhanced protection a must.
Let’s not lose sight of the improved customer experience we can create by having the right data and using it in the right way, but that’s another story for my service design colleagues.
What we’ve also found going through this process is the pleasant, reassuring feeling you get when you see how seriously your colleagues take the protection of personal data.