A summary of the Information Commissioner’s Office’s 12-point GDPR checklist
- Ensure senior/key people are aware of GDPR and appreciate its impact.
- Document any personal data you hold, where it came from and who you share it with. Conduct an information audit if needed.
- Review your privacy notices and plan for necessary changes before GDPR comes into force.
- Check your procedures cover all individuals’ rights under the legislation – for example, how you would delete personal data or provide data electronically in a commonly used format.
- Plan how you will handle subject access requests within the new timescales and provide any additional information.
- Identify and document your legal basis for the various types of personal data processing you do.
- Review how you seek, obtain and record consent. Do you need to make any changes?
- Put systems in place to verify individuals’ ages and, if users are children (likely to be defined in the UK as those under 13), gather parental consent for data processing activity.
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Adopt a “privacy by design” and “data minimisation” approach, as part of which you’ll need to understand how and when to implement Privacy Impact Assessments.
- Designate a Data Protection Officer or someone responsible for data protection compliance; assess where this role will sit within in your organisation’s structure/governance arrangements.
- If you operate internationally, determine which data protection supervisory authority you come under.
For more detail on each of these 12 steps, refer to the ICO guidelines here
In May 2018 the General Data Protection Regulation (GDPR) comes into effect. The new regulation strengthens local European legislation for data protection and aligns regulators under one authority. David Thomas, Head of Information Security & Privacy Compliance at MThree Consulting, provides an overview of GDPR and six privacy principles organisations must follow when collecting, processing and managing personal information data. Organisations which breach any of these areas risk fines of up to €20 million or 4% of global turnover and data processing bans.
GDPR is a new data privacy regulation adopted in 2016, the most significant and far reaching of its kind, which applies in full from 25th May 2018. The regulation, which repeals and replaces the EU Data Protection Directive 95/46/EC and all other EU national data protection legislation, asserts new and expanded privacy rights for over 500 million individuals in the EU.
The regulation applies to a wide definition of personal data, in short “any information relating to” an individual (i.e. includes identifiers such as name, ID numbers, phone number, online ID, mobile device ID, or one or more factors about an individual’s physical, physiological, genetic, mental, economic, cultural or social identity). Supervisory authorities and courts are already applying various principals of the regulation (e.g. compulsory disclosure of personal data breaches).
In the event of a data protection breach or other types of infringement, the European regulatory body has been given the mandate to act. For organisations – GDPR regulates every entity worldwide that provides services and / or handles information relating to individuals in the EU – compliance to GDPR is key, as non-compliance to the regulation can result in big penalties. In cases of serious infringement, fines up to €20 million or 4% of worldwide turnover (whichever is higher) can be given, and organisations can be banned from processing of personal data.
To comply to GDPR, organisations broadly speaking need to embed six privacy principles within their operations:
1. Lawfulness, fairness and transparency
Transparency: Tell the subject what data processing will be done. Fair: What is processed must match up with how it has been described. Lawful: Processing must meet the tests described in GDPR [article 5, clause 1(a)].
2. Purpose limitations
Personal data can only be obtained for “specified, explicit and legitimate purposes”[article 5, clause 1(b)]. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
3. Data minimisation
Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” [article 5, clause 1(c)]. In other words, no more than the minimum amount of data should be kept for specific processing.
Data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]. Baselining ensures good protection and protection against identity theft. Data holders should build rectification processes into data management / archiving activities for subject data.
5. Storage limitations
Regulator expects personal data is “kept in a form which permits identification of data subjects for no longer than necessary” [article 5, clause 1(e)]. In summary, data no longer required should be removed.
6. Integrity and confidentiality
Requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage” [article 5, clause 1(f)].
These 6 principles give a top level overview of the areas covered by the new regulation, however they do not delve into nuances of consent and other articles of GDPR, nor the complexities of data flow mapping, lineage and coordination activities associated with implementing a programme to meet GDPR compliance.