It is two years two months since the General Data Protection Regulation (GDPR) entered into force on the 25th May 2016. It was decided that enforcement of the GDPR would not begin until 25th May 2018.
Organisations which process personal information ( data controllers) have had a long lead in period to prepare for the GDPR. The Information Commissioners Office (ICO) have published a great deal of guidance over the past two years to assist organisations in their compliance journey. The ICO have also made it clear that they expect that organisations which process personal information will have taken advantage of the two year interim period to ensure compliance with the GDPR.
It is likely that organisations which have not used the two year period wisely will face greater punishment should they be subject to regulatory action.
This bulletin will discuss what are arguably the minimum requirements of the GDPR to allow organisations which process personal information to benchmark their current compliance.
2. The Principles.
The GDPR sets out seven key principles. Organisations must ensure that their data protection policies and procedures are built around the principles. This is a key requirement of the legislation. The principles briefly are as follows:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Storage limitation.
- Integrity and confidentiality (security).
The principles are similar to those in the Data Protection Act 1998. Under the GDPR there is no principle for individual rights which is now dealt with separately and there is no principle for international transfers of personal information which is also dealt with elsewhere in the GDPR. There is a new accountability principle which lies at the heart of GDPR. The principles must be complied with and failure to do so may lead to substantial fines being imposed. There will be a more in depth discussion about the principles later in this bulletin.
3. Minimum requirements.
3.1 Information Audit.
An information audit or data mapping exercise is key to compliance with data protection law. All organisations should be able to map what personal information they process, where it is collected from ,where it is stored and any third parties with which it is shared. The type of personal information processed should be clear especially if special category information is collected or other sensitive personal information ( for example banking information). Documented risk assessments should be made for special category data so that it is clear how this information is secured.
An information audit will also help an organisation to prepare a data retention policy. For example the information audit should flag any personal information which has been kept for long periods without review or deletion.
Whilst completing an information audit organisations may also consider their compliance with the GDPR principles;
3.2 Lawful basis for processing personal data 1st principle.
All organisations must identify a lawful basis for processing personal information which must be documented and made available to all those whose personal information they process. There are six lawful bases which are in summary:
- Consent the individual has given clear consent for you to process their personal information for a specific purpose.
- Contract the processing is necessary for a contract you have with the individual.
- Legal obligation the processing is necessary for you to comply with the law.
- Vital interests the processing is necessary to protects someone’s life.
- Public task the processing is necessary for you to perform a task in the public interest or for your official functions.
- Legitimate interests the processing is necessary for your legitimate interests or the legitimate interests of a third party.
An Organisation’s privacy notice(s) must include their lawful basis for processing personal information as well as the purposes of the processing. This is a key to compliance with the first principle. Organisations should consider privacy notices for customers and for staff.
3.3 Purpose limitation ( 2nd principle).
Organisations must be clear about their purposes for processing personal information. These should be recorded as part of an organisations documented obligations and should also be specified in privacy notices.
3.4 Data minimisation ( 3rd principle).
Organisations must ensure that personal information is adequate ( sufficient to fulfil your stated purpose); relevant and is limited to what is necessary that is you don’t hold more than you need for that purpose.
3.5 Accuracy (4th principle).
Organisations should take all reasonable steps to ensure that the personal information they hold is not incorrect or misleading as to any matter of fact. If an organisation discovers that information is incorrect or misleading they must take reasonable steps to correct or erase it as soon as possible.
3.6 Storage limitation (5th principle).
Personal information should not be kept for longer than is necessary. Organisations should be able to justify how long they keep personal information and should have a policy detailing standard retention periods wherever possible. Ideally standard retention periods should also be included in an organisation’s privacy policies and notices.
3.7 Integrity and confidentiality (security) (6th Principle).
Organisations must ensure that they have appropriate security measures in place to protect the personal information they hold ( more on this principle when discussing security and personal data breaches).
3.8 Accountability (7th principle).
Accountability makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance for example by adopting and implementing data protection policies. The ICO recommends that organisations implement a privacy management framework to help to embed accountability measures and create a culture of privacy in an organisation ( more on the accountability principle at section 5).
3.9 Special category or criminal offence data.
Organisations which process special category or criminal offence data also need to identify an additional condition for processing this type of data.
4 Individual’s rights.
4.1 Organisations should be aware of individual’s rights under GDPR and should have policies and procedures in place to ensure that where requests are made to exercise those rights the requests are dealt with quickly and professionally. The ICO has stated that it expects that policies to be in place.
4.2 The right to be informed.
Individuals have the right to be informed about the collection and use of their personal information. This is a key transparency requirement under the GDPR. Organisations provide individuals with information about the purposes for processing their personal information, the retention periods and who it will be shared with. This privacy information should be provided at the time of the collection of the information. Organisations should publish privacy information on websites and within forms or letters that are sent to individuals.
4.3 Right of access.
The right of access otherwise known as subject access gives individuals the right to obtain a copy of their personal data as well as other supplementary information. Organisations should have a policy in place for dealing with subject access requests and a procedure for staff to follow.
4.4 Right to erasure.
Under GDPR individuals have the right to have personal data erased. This is sometimes referred to as the right to be forgotten. This right is not absolute and only applies in certain circumstances. Individuals have the right to have their personal data erased if the following conditions apply:
- The personal data is no longer necessary for the purpose for which it was originally collected.
- You rely on consent as your lawful basis for holding the data and the individual withdraws consent.
- You are relying on legitimate interests as your basis for processing, the individual objects to your processing and there is no overriding legitimate interest to continue the processing.
- You are processing for direct market purposes and the individual objects to that processing.
- You have processed the personal information unlawfully.
- You have to do it to comply with a legal obligations.
- You have processed the personal information to offer information society services to a child.
There is more of an emphasis on the right to erasure if this applies to data collected from children.
4.5 Right to restrict processing.
Individuals have the right to request restriction or suppression of their personal information. Again this is not an absolute right and only applies in certain circumstances. Organisations should know how to recognise a request for restriction and should have a policy in place to deal with requests which may be verbal or in writing.
4.6 Right to data portability.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal information easily from one IT environment to another in a safe and secure way. The right only applies to information that an individual has provided to a controller.
Again the ICO guidelines say that organisations must know how to recognise a request and have a policy in place to deal with such requests.
4.7 Right to object to processing.
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. Organisations must tell individuals that they have right to object to processing. Again the ICO guidelines say that organisations must know how to recognise a request and have a policy in place to deal with such requests.
4.8 Rights related to automated decision making including profiling.
The GDPR has provisions on automated individual decision making and profiling. You must identify whether any of your processing is automated or you rely on profiling.
5 Accountability and Governance.
5.1 As mentioned briefly in section 3.8 Accountability is a new principle under the GDPR. It is one of the biggest changes introduced by the GDPR. Not only does accountability require compliance with the GDPR it also requires that organisations are able to demonstrate that compliance. According to ICO guidance there are measures that must be put into place which include the following:
- Adopting and implementing data protection policies.
- Taking a data protection by design and default approach.
- Putting written contracts into place with organisations that process personal data on your behalf.
- Recording and where necessary reporting personal data breaches.
- Carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals interests.
- Appointing a data protection officer ( where necessary)
- Adhering to relevant codes of conduct and signing up to certification schemes.
It is important that organisations ensure that there is a good level of understanding and awareness of data protection amongst their staff and that comprehensive policies and procedures for handling personal information are in place and are understood by all staff.
6.1 A key principle of the GDPR is that personal information is processed securely by means of ˜appropriate technical and organisational measures.’ This is the security principle.
Organisations must ensure the ˜confidentiality, integrity and availability’ of systems and services and the personal information which is processed.
6.2 Organisations must consider things like risk analysis, organisational policies and physical and technical measures.
6.3 Organisations must also ensure that they are able to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
6.4 Organisations must also ensure that they have appropriate processes in place to test the effectiveness of security measures which have been put into place and be able to undertake any required improvements.
7 Personal data breaches.
7.1 The GDPR requires all organisations to report certain types of personal data breaches to the relevant supervisory authority. The breach must be reported within 72 hours. If the breach is likely to result in a high risk of adversely affecting individuals rights and freedoms the individuals must also be informed without undue delay.
7.2 Organisations should ensure that they have robust breach detection investigation and internal reporting procedures in place. This should include decision making about whether or not the supervisory authority should be informed of the breach and the affected individuals.
7.3 Organisations must keep a record of any personal data breaches regardless of whether they are required to notify or not.
The minimum requirements discussed in this bulletin should now be in place in all organisations which process personal information. This should include a suite of data protection policies and relevant staff training. Where organisations are not sure of their current compliance PRODPO may be able to assist with an assessment of current compliance against the minimum requirements.