The General Data Protection Regulation came into force on 25 May 2018. As GDPR approaches its first birthday, what should be on your to-do list?
Check your privacy notice and register of processing activities
Privacy notices and records of processing activities are not static documents. They should be reviewed regularly to ensure that they accurately reflect how an organisation processes personal data.
Are you processing for new purposes? Are you collecting data from new sources? Are you using new technology, such as AI or automated decision making? Are you sharing with new organisations? Do you have an internal process to make sure that any operational changes are fed through to your privacy notice and register?
It’s also worth checking that your privacy notices are written in a way that provides individuals with an adequate level of transparency and that they are clear, concise and easy to understand.
Google’s €50m fine arose in part from a failure by Google to provide sufficient granularity in its privacy notice. Information was spread across multiple documents, legal bases were not clearly mapped to processing activities, and retention periods were unclear. This meant that individuals could not properly understand how their personal data was being used and what rights they had in relation to that processing.
Review your policies and procedures
Now that your policies and procedures have had a year to bed in, it’s time to give them a health check.
What works and where can improvements be made? Are there gaps in your processes or missing areas of guidance? Are data protection issues being considered at the outset of any new project? Are sufficient internal IT systems in place to protect personal data and minimise the risk of a breach? Do you have internal reporting procedures to encourage staff to contribute to improving policy, discuss inefficiencies and report near misses?
Look at the issues that have arisen over the last year and apply a critical eye to your processes. Can you show that you’ve learned from any personal data breaches or near misses? If not, then that may be viewed as an aggravating factor in any subsequent breach.
Are your processes for data subject requests working effectively? Have you implemented your records retention policies to reduce the amount of personal data that you hold? Can you automate the processes for handling requests or enable self-service, to reduce the administrative burden?
Identify training requirements
Ongoing training is a key element of being able to demonstrate compliance with GDPR. There’s no point having detailed policies and procedures if your workforce is not aware of these. Regular training is also a risk mitigation tool.
Your training programme should reflect the specific needs of your organisation. Rather than simply repeating the training that was provided in the run-up to GDPR, look instead at where issues have arisen or where there are gaps in knowledge and focus your training on that. For example, if a particular issue keeps recurring, look at your processes and provide the team in question with training on how to avoid it happening again in the future.
Codes of conduct
GDPR enables associations and other representative bodies to develop industry or sector specific codes of conduct for approval by supervisory authorities such as the Information Commissioner’s Office. Codes of conduct provide a great opportunity for organisations to come together and take the lead on how personal data is processed in their sector.
The ICO recently invited enquiries from representative organisations that are considering developing codes of conduct. If your sector could benefit from better consistency or a clearer guidance on handling personal data, then think about whether a code of conduct could be the way to do that.
Finally, look at your operational processes for accountability. Many organisations will have appointed someone at board level with responsibility for data protection. Is that person continuing to fulfil that role? Is data protection compliance continuing to be led from the top?
If you have a data protection officer, is he or she being given the freedom to effectively carry out the role? If that person carries out another role within the organisation, how have any conflicts of interest been managed?
Are any concerns taken seriously by senior management? If not, look at what you can do to ensure that accountability is at the forefront of your compliance programme.
Brodies’ data protection and information law team can help you review your policies and procedures and help with identifying opportunities for codes of practice. If you would like to discuss what we can do to help, please get in touch with me or your usual Brodies contact.
On May 23, 2019