Viper: The most significant change to GDPR from DPA is the accountability principle. The GDPR requires data handlers to show how they comply with the principles – for example by documenting the decisions they take about a processing activity. What are the practical implications of this?
Under the GDPR it is not sufficient to be compliant, there is also an obligation to be able to “demonstrate” that compliance. For example the GDPR requires organisations to carry out a privacy impact assessment (PIA) before carrying out “high risk” processing. Examples of high risk processing include using a new technology, or processing sensitive information on a large scale (such as information about health, ethnic background and so on). The PIA should describe what you plan to do, an assessment of the necessity and proportionality, an assessment of the risks, and the measures that will be put in place to address those risks. Even if the obligation to carry out a formal PIA has not been triggered then the organisation will still need to assess the data protection risks and take appropriate measures to protect personal data.
Some organisations will also be required to appoint a Data Protection Officer who must be independent from senior management.
Another area where the accountability principle may bite is around consent. If for example, you obtain consent for sending marketing mailshots then you should record who consented, when, what words were used to obtain consent (eg, a copy of the consent form) plus how they consented (eg, through your website or at an event they attended).
Getting the accountability principles wrong could have serious implications. Worst case scenario would be a fine or having to pay compensation to affected individuals. The maximum fines are going to be increased from the current £500,000 to the higher of €20 million or 4% of worldwide turnover.
Viper: Article 5 of the GDPR requires that information is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. How would an accountable person start to plan for this?
The first step is to understand what personal data an organisation holds. This should involve carrying out an audit which should include documenting what categories of data are held, what they are used for, sources and recipients of the data, retention periods, where it is held, existing information security arrangements and so on.
Once an organisation understands its data then it should start to think about how to protect that data. As you note, the GDPR requires organisations to have in place appropriate “technical” and “organisational” measures. Technical measures cover things such as the use of encryption and network security. Organisations should also consider obtaining certification to a recognised information security standard. Organisations should also think about staff training, written policies and procedures and ongoing risk assessment and audits.
In particular it is important to make sure that staff are trained on the data protection risks. The training should be relevant to staff roles and how the organisation handles data in practice. For example, if a lot of staff work from home or work “on the go” then there should be a particular emphasis on keeping data secure when working off site.
Viper: For those whose personal information is being stored by a third party, they have the ‘right to be informed’, and this encompasses an obligation on the information holder to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how they use personal data. What are the first steps they can take to ensure they are compliant?
As a first step, an organisation should ensure that it has a firm grasp of the different data it holds so that it can draft a privacy notice which accurately reflects its practices.
The GDPR will require organisations to include a lot of extra detail in their privacy notices. For example, the GDPR requires that individuals are told which condition is being relied on to handle personal data and individuals must also be told about their right to complain to the ICO (the data protection regulator).
Viper: Data portability may well become a hot topic. This as we understand it, is the need to provide the personal data in a structured, commonly used and machine readable form. Open formats include for example, CSV files. The information should be structured so that software can extract specific elements of the data to enable other organisations to use the data, and the information must be provided free of charge. How does VWV recommend companies approach the challenge of data portability?
It is important to make sure that you have the technical means to fulfil any request, ie that your systems allow you to export the data in a sufficiently granular way. We also recommend that organisations should ensure that staff are trained so that they can spot requests when they are made.
Regarding the format of the data, open formats such as CSV should be used, as you suggest. You should also provide any metadata at the best possible level of granularity.
Viper: In conclusion, what Top Five Tips do you recommend that readers focus on?
1. Understand what personal data your organisation holds. This will help plan ahead and will help to ensure that nothing “falls between the cracks” in terms of GDPR compliance.
2. Focus in particular on information security as this is the area of greatest financial risk. The vast majority of data protection fines have come about as a consequence of security breaches.
3. Be prepared. The GDPR enhances many of the rights which individuals have under data protection law. In addition, individuals are becoming ever more aware of these rights. Therefore expect to receive a lot of data protection related requests and also be prepared for individuals to complain to the ICO if they are not happy with how you have handled their request.
4. Check your supplier contracts. If you use a third party to handle personal data on your behalf then you should check that the contract contains the data protection provisions mandated by the GDPR. You must also carry out due diligence on your contractors to make sure that they understand and comply with the GDPR principles in practice.
5. View the GDPR as an opportunity. Whilst the increased regulatory burden is unwelcome , the GPDR is also a good excuse to interact with your customers, employees and other stakeholders. For example, if you need to update your staff privacy notice then this could be done as part of a wider staff engagement process.