If your company is handling personal data, GDPR is a legal obligation from 25th May 2018. This includes personal data in HR, supplier and marketing teams. GDPR asks companies to be fair and transparent in the way that personal data is processed, and adequate security is used to keep it safe.
There's a lot of guidance out there, not all of it correct. From our work training over 70 companies and helping more with assessments, monitoring and remediation, we found the key 14 requirements to be...
|Identify and document DP responsibilities of individuals and committees from the top down.
Do you legally require a Data Protection Officer?
|Refresh data privacy and security policies, standards and procedures for alignment to legislation and regulatory guidance.|
|Inform and test any people handling data on the company's behalf and obtain attestations. Some roles will require additional guidance.|
|Document what personal data is processed by your business, where it came from and what T&Cs applied, where it goes (systems, networks, legal entities) and who uses it.|
|Record the legal reason for processing data items, which may include vital interest, legal compliance, for a contract, legitimate interest or (and only if no others apply) consent. Take extra care with special and children's data.|
|Delete data that is no longer needed. Document your retention periods based on the data and processes you have, then ensure secure deletion processes. Don't capture data you don't need!|
|Protect the confidentialy, integrity and availability of personal data; in transit, in use and at rest. Controls should be aligned to the specific data risk. Certified standards such as Cyber Essentials and ISO 27001 can be considered.|
|Understand and document the privacy risks presented by data items and processes. Ensure process designs consider privacy and the safest default privacy settings through-out the change lifecycle. Conduct full Data Protection Impact Assessments (DPIAs) for future high risk processes.|
|You're still accountable if other companies process your data. Conduct rigourous due diligence and ensure adequate contracts are in place to define the processes and ensure appropriate control. Data Processes must take extra care to avoid becoming Data Controllers unnecessarily.|
|Check the adequacy of countries if transferring data outside the UK and EEA. If countries are not adequate, Model Contracts, Binding Corporate Rules or Privacy Shield (US) may be required.|
|Ensure websites display privacy and cookie notices which provide a really transparent view about what data you're collecting and what you're doing with it. Keep an eye on the ICO.org.uk website as an emerging best practise template!|
|Establish effective, formal operational procedures to respond to Data Subjects' requests. Ensure adequate oversight of decisions and secure responses. The GDPR also introduces new types of requests and shorter response times. Be careful of old data stored in emails and cupboards!|
|Plan and test for an incident, as part of your security activities. Define who will be saying and doing what, including 72 hour notifications to the regulator and affected individuals.|
|Take a step back and ensure things are working as they should. Metrics can help on-going monitoring and continuous improvements, while risk-based auditing can stop the company from tripping itself up.|
This list will help you with the main aspects of GDPR, but we always recommend speaking with a specialist.
Data GRC have a range of tools and services to support businesses for data protection (and GDPR) and information security. This includes:
Click this link to contact us and discuss our GDPR support services.
Click this link to see more guides on Data Privacy, GDPR and Information Security.