Have you kicked off your GDPR programme of work?
Do you think you will be compliant by 18th May 2018?
Below I have listed the areas and questions that I feel should be considered. I have formed these into a high-level plan to aid implementation in a phased approach.
Assess the questions and points. Identify your actions from responses. These will form part of your detailed project plan, to be completed by your organisation to demonstrate compliance. These activities can be allocated among your business and IT teams. Distributing the actions appropriately across the organisation will help deepen understanding and aid wider knowledge development of the obligations on all under GDPR.
I would suggest making a list of outstanding questions, where you need more knowledge. These can be asked in the many GDPR webinars currently available or on replay from YouTube or, directly to the Information Commissioners Office who have a help desk contact point.
Phase 1: Need to understand
- What personal data and sensitive data we collect/hold?
- How is it collected?
- Where did the data come from?
- Where is it stored?
- Who has access?
- Who do we share the data with?
- How is it used?
- When is it used?
- What are our obligations?
- How are we communicating awareness of GDPR across the business to existing staff and new joiners?
Phase 2: Assess Risk
- How much is personal data?
- How much is sensitive data?
- Do we need it? – what can we stop collecting, if any and why?
- How are our systems secured?
- Are our policies and procedures adequate? – who will confirm this?
- Is the processing we do legal?
- How would we respond appropriately if a customer triggered their rights?
- Do we have the right contractual relationships with our partners whom we share data with?
- What could go wrong?
Phase 3: Mitigate Risk / Implement
- What will we do if there is a breach?
- How would we detect, report and investigate a breach?
- To manage effective & efficient investigation: Assess which types of data are held. Document which types fall within the notification requirement and the process to be followed if there is a breach.
- How would we erase an individuals’ data?
- What is our process for correcting individuals’ data?
- Can we manage / remove consent for direct marketing and automated decision making?
Data Portability – How would we provide data electronically in a common format?
Subject Access Requests
- What will we do if a customer exercises their rights?
- How would we handle a request?
- What processes & policies do we have in place should we plan to refuse a request?
- What will our partners whom we share data with need to do?
- Do we have confidence that these partners are compliant and would not put our subjects data at risk?
- How will we seek, obtain and record consent – the record must be auditable?
- What changes are needed to processes to manage consent?
- Do we have any children (under16’s, or 13s, if your member state so determines) if so, how will we seek consent from their parent or guardian?
- What systems will we have in place to verify individuals ages?
- How will we identify when children reach 16, as they will need to provide their own consent?
Privacy Impact Assessment – PIA
- How would we implement an assessment in our organisation?
- Who would carry it out?
- Would it be run centrally or locally?
Data Protection Officer – DPO
- Do we need to designate a DPO, if not who will the responsible person be?
- Where does that person sit in the governance structure?
- How will this be communicated?
- If we are an international based organisation, which supervisory authority do you come under?
- What changes do we need to make to our current privacy notice?
- Who and how will we write, obtain management approval and publish your privacy notice?
Legal Basis for Processing Data
- Look at the various types of processing we carry out, identify our legal basis for carrying out the processing.
- Document the identified legal basis.
- Be able to explain our legal basis for processing in a subject access request and our privacy notice.
- Use Data Protection Act as guidance for what is a legal basis.
Data Retention Policy
- Do we have a data retention policy?
- It is down to the board of directors to decide what that retention policy is, when and how will this approval be received? – data must not be kept for any longer than is deemed necessary.
- How will we manage change while honouring our obligations?
- Who is responsible for what?
- Do they understand the risks?
- How could we stop things going wrong?
Phase 4: Demonstrate
Can we demonstrate:
- Control over processes that collect and use personal data?
- Appropriate measures?
- Ability to respond?
- Records of what we do?
- A published Privacy Notice
- Consent and individual rights management.
Wishing you good governance and control with your GDPR strategy and operations!
Image credit: http://www.mojou.co.uk