Twelve Steps to GDPR nirvana – the final cream crackers!
The Information Commissioner’s Office (ICO) have published a twelve-step guide for compliance; we looked at the first of those steps last week but as I said then is it a bit like trying to eat cream crackers. So, tea at the ready, let’s look at the second six steps and how they relate to the small business.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. The ICO has published detailed guidance on consent under the GDPR, and you can use their consent checklist to review your practices. Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent. Consent has to be verifiable and individuals generally have more rights where you rely on consent to process their data. You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
To me, this is one of the biggest GDPR impacts and I would urge you all to start now looking at this area.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
There are specific rules that bring special attention for children’s personal data and if you believe that this area of compliance will impact your business please do seek further ICO guidance.
3. Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. This is an area that will impact larger corporations more as they will now be legally responsible for disclosing breaches at the time they happen, meaning that any member of the public will know straight away if their personal data has been affected; this can only be a good thing.
For smaller entities I believe that we should act by looking at how we hold our data and what risks there are. I have an announcement to make next week about how M:Power has acted to properly secure the personal data it holds as I have already reviewed this step to ensure that your data is as safe as it can be.
4. Data Protection Impact Assessment
It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances. If you feel that a DPIA may be mandatory in your case, please consult the ICO guidance.
It is good for all small business to carry out an assessment and document this. The assessment will identify the most effective way to comply with GDPR obligations and also meet individuals’ expectations of privacy. And the PIA is an integral part of taking a privacy by design approach. Although this may sound slightly scary it should not take too long for you to complete a PIA and it will show if you do have any areas that need improvement or of high risk.
Nearly there – just two more crackers to go . . .
5. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. In most cases that will be you!
If you do operate in more than one EU member state, you will need to determine your lead supervising state and document this. For most small business in the UK this authority will be the UK but if you do have a more complicated framework with more than a single establishment in the UK then again, I would advise you review the ICO guidance for this area.
So, time for that glug of tea as we are now done. All entities in the UK that hold personal data in whatever form are legally required to comply to the GDPR requirements. As I said right at the beginning those of us who were already working under DPA are potentially most of the way there but it is vital that you consider these twelve steps and act on them now to ensure your compliance. I believe that, with carefully consideration, this will not become just another administration burden and the quicker you act the easier it will be to ensure that you are compliance by 25th May; that is the way to achieve GDPR nirvana.