The General Data Protection Regulation (GDPR) will apply from 25th May, 2018. If you haven’t already done so, it is essential to start preparing for the implementation of the Regulation. In the checklist below, Kate Colleary, co-founder and director, Frontier Privacy, highlights some questions to ask within your organisation so that you can start identifying what needs to be done.
How do you collect personal data?
What personal data do you hold? For instance, names, addresses, telephone numbers, occupations. Is any sensitive personal data collected? Examples would include data on racial or ethnic origin, political opinions, religious beliefs, trade union membership, health matters and sexual orientation.
- Why are you collecting, processing, sharing and retaining it? Is it necessary for you to collect, process, share or retain it? What is your legal basis for collecting, processing, retaining and sharing the data?
- Do you have a privacy policy? Is it GDPR-ready?
- Are your notifications sufficient? Make sure that people are clearly told: what data you are collecting; why you are collecting it; what you are using it for; and who you share it with. For sensitive personal data, do you have explicit consent from each data subject or another lawful reason to collect this data?
- What steps are taken to ensure the personal data is kept accurate?
How long is personal data retained?
- Do you have a data retention policy and a training programme to ensure that it (and other policies) are complied with in practice?
- How long is personal data held and is it strictly necessary to hold the personal data for this period? Review each category of data to ascertain whether it is necessary to hold it for each period.
- Are databases regularly reviewed and “cleansed” to ensure accuracy, deletion of irrelevant material and deletion of documents after the retention period?
What security measures are in place?
- What technical and organisational measures are in place to ensure that personal data is protected against unauthorised access, damage or erasure. Are the security measures appropriate to protect the data? Examples of security measures include encryption, use of secure passwords and access limitations.
What are your contingency plans in the event of a catastrophic event or a breach?
- Do you have a data breach plan in place and has training been carried out to ensure that all staff are aware of the steps to take in the event of a data breach? Are the contact details for the lawyers, PR team, IT team and senior management up to date?
Is personal data disclosed to third parties?
- What is your lawful basis for disclosing the data? Have you notified the data subjects that these transfers take place? Review all transfer agreements to ensure they are GDPR-ready.
- Who are your third-party data processors? Are they suitable? Do they give you guarantees relating to their compliance with data-protection laws? Do you have an agreement in writing? Is it GDPR-ready?
- Where do you store personal data? Do you store personal data outside the European Economic Area (EEA)? If so, do you have the required international transfer documents in place? They may be in your providers’ terms and conditions. Check what they say.
Individuals’ rights under GDPR
Are there procedures in place to allow individuals to:gain access to their personal data;
- have inaccuracies corrected;
- have information erased;
- object to direct marketing;restrict the processing of their information including automated decision-making; and,
- have data portability?
New concepts under GDPR
- Are you ready to carry out a Data Protection Impact Assessment (DPIA)? A DPIA is the documented process of considering the potential impact that a project might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and encourages you to come up with a way to mitigate the risks.
- Data Protection Officers must be appointed by some organisations, such as public bodies; organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale; and organisations who process sensitive personal data on a large scale.
Disclaimer: Please note that the information contained in this article is for information purposes only and should not be considered to constitute legal advice.
Colleary & Co law firm, and its sister consulting practice, Frontier Privacy, helps clients comply with data-protection requirements. From initial compliance assessments, to drafting policies and training staff, we can help. Contact: Katecolleary@collearyandco.com
This Business Support article featured in the November/December 2017 edition of The Hardware Journal