The General Data Protection Regulation (GDPR) is a large and complex piece of legislation, which can make it difficult to comply with. In this article, we have created a list of some key questions that you and your organisation should consider in order to work out whether you are in breach of the GDPR or not.
Be aware that this list is not exhaustive and may not be appropriate for all organisations, so legal advice should be obtained if you are unsure whether you are fully compliant with the GDPR.
If you are looking for more information about the GDPR, including what it means and how the UK GDPR differs from the EU GDPR, click here to visit our GDPR FAQ article.
Access control is an important facet of information security, so it is important to determine what sensitive information is processed and who has access to it
Data controllers with 250 or more employees, or who conduct high-risk data processing, are required to record their data processing activities. They must also be prepared to provide this list to regulators upon request.
The best way to demonstrate GDPR compliance (which is required by the GDPR) is to perform a Data Protection Impact Assessment (DPIA).
Smaller organisations with fewer than 250 employees should also perform a DPIA, as it will make it easier to meet the other requirements of the GDPR.
Remember to include:
Data processing is illegal under the GDPR unless it can be justified with one of the lawful bases.
Remember that:
The right to be informed means that organisations are required to tell people that their data is being collected, how it is processed, who has access to it and how you are keeping it safe. This information must be available to the person at the point at which their data is collected.
This is best done in the form of a privacy notice. It should be easy to access, concise, intelligible and use plain and simple language.
The principles of data protection by design and by default should be followed at all times. This means that both technical and organisational measures should be implemented to ensure data security.
Technical measures include encryption of the data being stored. Organisational measures include limiting the amount of personal data that is stored and deleting data when it is no longer needed.
The GDPR requires encryption or pseudonymisation to be used where possible to improve data privacy.
Most productivity tools, such as email, messaging services and cloud storage, have encryption built in. However, organisations should always check the services that they use and are planning to use to make sure that this is definitely the case.
Operational security is just as important as technical security. This means that employees must be trained in the requirements of GDPR and data security.
Organisations should create a security policy that ensures all staff members are knowledgeable about data security, including guidance on:
Any employees with access to personal data or who are non-technical should receive extra training on GDPR requirements.
DPIAs are used in order to gain an understanding of how a product or service could jeopardise customer data, and how the risk of this can be minimised.
The GDPR requires that this is performed whenever personal data is used in a way that is likely to present a high risk to the data subjects, but the Information Commissioner’s Office (ICO) recommends performing a DPIA every time an organisation intends to process personal data.
In the event of unauthorised access to personal data, a notification must be made within 72 hours. This means that an organisation should have two plans in place to be used in the event of a data breach: one for informing the supervisory authority and another for contacting data subjects if required.
In the UK, this supervisory authority is the ICO.
As part of adopting data protection by design and by default, somebody in the organisation should be made responsible for ensuring GDPR compliance.
The person responsible should have the power to evaluate data protection policies and their implementation to keep them up to date with the latest technology and legislation.
Any third-party service that handles personal data that an organisation collects should have a data processing agreement with them. These services may include analytics software, email services and cloud servers.
Most services will have a standard data processing agreement on their website. Only use third parties that are reliable and can make sufficient data protection guarantees.
Organisations outside of the UK that offer goods or services to individuals in the UK, or monitor the behaviour of individuals in the UK, must have a UK-based representative. This does not apply in certain circumstances, so click here to view the relevant ICO guidance.
An organisation must appoint a DPO if any of the following apply:
Their role is to monitor the organisation’s GDPR compliance, assess data protection risks, advise on DPIAs and cooperate with the regulatory authorities.
All organisations must uphold the privacy rights enshrined in the GDPR. This means that people must be able to request to see the personal data held on them.
Any copies sent must be easily accessible, and sent within one month of the request. If possible, oral formats should be offered to aid the visually impaired, and paper copies for people without computer access.
Also, the first copy they request must be free of charge, and a reasonable fee can be charged for any subsequent copies.
Finally, organisations must verify the identity of the person making the request.
Make sure a data quality process is in place. It should make it easy for customers to view and update their personal information for accuracy and completeness.
Again, organisations must verify the identity of the person making the request and comply with it within one month.
People have the right to ask for their personal data to be deleted, and organisations must make this easy for people to do by, for example, providing a request form.
Make sure that procedures are in place to deal with this type of request.
Remember that this type of request is usually only approved when there is a dispute regarding the lawfulness of any processing, and that the data can still be stored while processing is suspended.
When an organisation provides people with copies of their personal data, it must be in a format that is commonly readable, such as a spreadsheet.
Organisations must have a system in place to facilitate this type of request.
If a customer requests that their data is no longer used for direct marketing, this must be honoured immediately. Otherwise, processing may be allowed to continue if an organisation can demonstrate that they have a legitimate interest in doing so.
If an organisation uses automated processes to help make decisions about people that have legal or similarly significant effects, they must make it easy for people to request human intervention and to challenge decisions that have already been made using automated processes.
If you or your organisation are looking to learn more about the UK GDPR, consider taking our: