One of the big differences with GDPR (see what is GDPR and does it apply to me?), compared to the Data Protection Act (DPA) that it replaces, is that there is a need to demonstrate compliance. According to Article 5(2) of the regulation, “The controller (i.e. your company) shall be responsible for, and be able to demonstrate compliance”.
There are two main reasons for demonstrating compliance (outside of your legal obligation). First, the process you go through to demonstrate proof makes you think about the way you collect, store and process data. This can only be a good thing, helping you tighten up the way that you collect and analyse data.
Secondly, should the worse happen and you are hacked, demonstrating compliance shows that you took security seriously and took precautions to prevent a breach of data. This might help save you from a big fine.
The official documentation gives some steps on demonstrating compliance, but doesn’t have a process. It is a good idea to document everything about your GDPR process, so it is clear that you have taken the right investigative steps and have made reasonable steps to fix any issues. You then have a document you can point to if you’re ever asked any questions.
While small businesses may not need an official Data Protection Officer (DPO), putting one person in charge of GDPR documentation could be a good idea. That way, you’ve got one person to make sure that everything has been done to the same standard.
Here, we’re looking at the main areas to cover. Some of the requirements require fairly technical analysis of process and data storage, so you may need to employ a third-party IT consultant to help. Make sure that any work done by a third-party is documented as proof.
Protect your personal data
Personal data needs to be stored, processed and accessed safely. Training staff on how to securely deal with data is a good first step, and demonstrates that your entire business understands data protection and GDPR.
This training should contain basics, such as telling staff not to copy any personal data or share information over unsecured channels. A clear policy on how personal data should be accessed and shared is a good idea. For example, which questions should you ask a customer to verify details before revealing any information? There are likely policies that you have already as part of the Data Protection Act, but there is no harm revisiting them now.
Next, examine how you process any data internally. By looking at how personal data is viewed, managed and worked with, you can see if any potential weak points can be strengthened, such as tightening up access to a database that not all employees need to see.
Document data collection policies
Wherever you collect or process data, you need to prove that you have the right to do so. For many cases, this means getting consent via a precise data collection policy that states why you need the data and what your company plans to do with it. This means presenting a clearly written consent policy at the point of collection, such as a web form where customers enter their details.
With this clear policy, you also need to demonstrate, unambiguously, that your customers have opted into their data being collected and processed.
Consent is the not the only method of processing data, and your company can also process data if it has a lawful basis for doing so. For example, compliance with a legal obligation gives you the right to process.
Legitimate interest is another interesting route. For example, passing on a customer’s details to a debt collection agency for non-payment falls under this. Elizabeth Denham, the Information Commissioner, has covered other methods that give you the right to process data in her blog post, consent is not the ‘silver bullet’ for GDPR compliance.
In all cases, record the reason for processing any data in your documentation, backed up with the method of consent that you have used.
Data protection by design and by default
GDPR requires data protection to be by design and by default, which means security has to be accounted for at every stage. At a minimum, personal data should be encrypted and stored on a system with limited access. This may require a third-party IT consultant to examine your systems and ensure that they’re up to scratch.
But also examine the data you have collected to see what you currently have. GDPR states:
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
In other words, you are allowed to collect and store the minimum amount of data required; extraneous data should be wiped and not collected in the future.
As individuals have the right to be forgotten, you need a system in place that allows this to happen easily.
As part of GDPR, governments are expected to encourage approved codes of conduct and certification schemes, created by trade associations or representative bodies. Certification schemes are not obligatory, but if one becomes available for your type of business, signing up could be advantageous, as they will help you comply with the law and prove compliance, provide mitigation against enforcement action, and improve transparency, letting individuals know which organisations they can trust.
Certification schemes are likely to start up after GDPR has come into force, so keep an eye out for communication from your trade association, and talk to partners to see what they are doing. We suspect that more information will be forthcoming from the ICO about these certification schemes early next year.
Are your partners and services compliant?
If you work with any third-party companies to process your data, including cloud hosting providers, GDPR requires that you have a written contract with them, as documented in Article 28 of the regulation. The list of provisions is long, so you may need to seek legal advice to have a full third-party contract drawn up.
All partners that you work with must demonstrate GDPR compliance, and you should ask for proof to add to your documentation. This includes larger companies, such as email providers, but it isn’t always easy: Dropbox and Google G Suite, for example, are still working towards compliance and promise to be ready for the 25 May 2018 when GDPR comes into force.
Our suggestion is to document a list of third-party services that you use. If any are used to store personal details, you’ll need to record proof of compliance as it becomes available. If you have any questions, contact the company directly to ask for guidance. After GDPR comes into force, you may need to switch to alternative providers if your existing ones are not compliant.