GDPR Readiness

As I'm sure you're aware the new GDPR rules come into play in May this year. If you're not sure what GDPR is or how it affects you I've written a separate article about that on the Mind the Product blog (note this article is written from a Product Management perspective).

So, with regards to GDPR readiness the UK based Information Commissioner's Office have recently released a fantastic self assessment tool for Data Controllers (there is also a tool for Data Processors, and an overall suite of Data Protection health checks). Whilst this tool is an excellent resource, I found I had to wrongly mark myself as 'not yet implemented' to every question in order to see all the recommendations (so I could check my readiness for GDPR was in order). Also I had to manually open up the 'more information' tool on each section (there are a lot of sections) and then download a Word document in order to get a saved copy. Then I had to combine these all into one document to get all the information and recommendations in one place.

So, to save you doing that I've listed all the information below. Please note this is all information from the ICO website - I'm just listing it below to hopefully save you time. I would still really recommend you go through the tools yourself to show you what you need to do some work on before the May deadline. I would also recommend keeping a close eye on the ICO website (or whichever authority looks after Data Protection in your region) as the information below is relevant now (as of 19th January 2018) but some new guidance may still come into play before May.

Step 1: Lawfulness, fairness and transparency

1.1 Information you hold

Your business has conducted an information audit to map data flows.

More information

You should organise an information audit across your business or within particular business areas. One person with in-depth knowledge of your working practices may be able to do this.

This will identify the data that you process and how it flows into, through and out of your business.

Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site).

Having audited your information, you should then be able to identify any risks.

Suggested actions

You should:

• organise an information audit across your business or within particular business areas to identify the data that you process and how it flows into, through and out of your business;
• ensure this is conducted by someone with in-depth knowledge of your working practices; and
• identify and document any risks you have found, for example in a risk register.

Guidance

Find out what information you have, National Archives

Identify information assets, National Archives

Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.

More information

Once you have completed your information audit, you should document your findings, for example in an information asset register.   Doing this will also help you to comply with the GDPR’s accountability principle, which requires your business to be able to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.

If you have less than 250 employees then you must keep records of any processing activities that:

* are not occasional;

* could result in a risk to the rights and freedoms of individuals; or

* involve the processing of special categories of data or criminal conviction and offence data.

If you have over 250 employees, you must record the following information:

* name and details of your business (and where applicable, of other controllers, your representative and data protection officer);

* purposes of the processing;

* description of the categories of individuals and categories of personal data;

* categories of recipients of personal data;

* where applicable, details of transfers to third countries including documentation of the transfer mechanism safeguards in place;

* retention schedules; and

* a general description of technical and organisational security measures.

You may be required to make these records available to the ICO on request.

Suggested actions

You should:

• maintain records of processing activities detailing what personal data you hold, where it came from, who you share it with and what you do with it. This will vary depending on the size of your business;
• consider using an information asset register to do this; and
• ensure you have procedures to guide staff on how to manage information you hold.

Guidance

Identify information assets, National Archive

Information Asset Register template, National Archive

1.2 Lawful bases for processing personal data

Your business has identified your lawful bases for processing and documented them.

More information

You need to identify lawful bases before you can process personal data and special categories of data.

Your lawful bases for processing have an effect on individual’s rights. For example, if you rely on someone’s consent to process their data, they will have a stronger right to have their data deleted.   It is important that you let individuals know how you intend to process their personal data and what your lawful bases are for doing so, for example in your privacy notice(s).

See the table at the link below for further information on this.

Guide to the GDPR - Lawful bases for processing

Suggested actions

You should;

• look at the various types of data processing you carry out;
• identify your lawful bases for carrying it out; and
• document it, for example in your privacy notice(s).

Guidance

Guide to the GDPR - Lawful bases for processing, ICO website

1.3 Consent

Your business has reviewed how you ask for and record consent.

More information

The GDPR sets a high standard for consent but remember you don’t always need consent. You should also assess whether another lawful bases is more appropriate.

Consent means offering people genuine choice and control over how you use their data. You can build trust and enhance your business by using consent properly.

The GDPR builds on the DPA standard of consent in several areas and contains much more detail:

* Keep your consent requests separate from other terms and conditions.

* Consent requires a positive opt-in. Use unticked opt-in boxes or similar active opt-in methods.

* Avoid making consent a precondition of service.

* Be specific and granular. Allow individuals to consent separately to different types of processing wherever appropriate.

* Name your business and any specific third party organisations who will rely on this consent.

* Keep records of what an individual has consented to, including what you told them, and when and how they consented.

* Tell individuals they can withdraw consent at any time and how to do this.

Suggested actions

You should:

• Check that consent is the most appropriate lawful bases for processing.
• Make the request for consent prominent and separate from your terms and conditions.
• Ask individuals to positively opt in.
• Use unticked opt-in boxes or similar active opt-in methods.
• Use clear, plain language that is easy to understand.
• Specify why you want the data and what you’re going to do with it.
• Give granular options to allow individuals to consent separately to different types of processing wherever appropriate.
• Name your business and any specific third party organisations who will rely on this consent.
• Tell individuals they can withdraw consent at any time and how to do this.
• Ensure that individuals can refuse to consent without detriment.
• Don’t make consent a precondition of service.

Your business has systems to record and manage ongoing consent.

More information

Your obligations don’t end when you first get consent. You should continue to review consent as part of your ongoing relationship with individuals, not a one-off compliance box to tick and file away.

Keep consent under review, and refresh it if anything changes. You should have a system or process to capture these reviews and record any changes.

If your current consent doesn’t meet the GDPR’s high standards or is poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.

Suggested actions

You should:

• Keep a record of when and how you got consent from the individual.
• Keep a record of exactly what they are told at the time.
• Regularly review consent to check that the relationship, processing and the purposes have not changed.
• Have processes to refresh consent at appropriate intervals, including any parental consent.
• Consider using privacy dashboards or other preference management tools as a matter of good practice.
• Make it easy for individuals to withdraw their consent at any time and publicise how to do so.
• Act on withdrawals of consent as soon as you can.
• Don’t penalise individuals who wish to withdraw consent.

If current consent don’t meet the GDPR’s high standards or is poorly documented, your business will need to;

• seek fresh GDPR-compliant consent; or
• identify a different lawful bases for your processing (and ensure continued processing is fair); or
• stop the processing.

Guidance

Guide to the GDPR - Consent, ICO website

1.4 Consent to process children’s personal data for online services

If your business relies on consent to offer online services directly to children, you have systems in place to manage it.

More information

If you offer online services to children and you rely upon consent, only a child aged 13 or over will be able to provide their own consent.

You will therefore need to make reasonable efforts to verify that anyone giving their own consent is old enough to do so.

For children under 13 you will need to get consent from whoever holds parental responsibility for the child - unless the online services you offer are for prevention or counselling.

You must make reasonable efforts (using available technology) to verify that the person giving such consent does, in fact, hold parental responsibility for the child.

Suggested actions

You should:

• have a process in place to verify the age of an individual (to determine if they are 13 years old or under) to confirm if they are old enough to provide consent themselves;
• if not relying on consent, identify the most appropriate lawful bases for the processing;
• document your lawful bases for processing; and
• obtain parent or guardian’s consent or authority if you want to rely on consent as the lawful bases for your processing.

Guidance

Guide to the GDPR - Applications - Children, ICO website

1.5 Registration

Your business is currently registered with the Information Commissioner's Office.

More information

Until May 2018, you are still required to register with the ICO (unless an exemption applies).

After May 2018 you need to pay the ICO a data protection fee.

Suggested actions

You should continue to register with the ICO, if you annual registration is due before May 2018.

Guidance

ICO fee and registration changes next year, ICO blog

Step 2: Individuals' rights

2.1 Right to be informed including privacy notices

Your business has provided privacy notices to individuals.

More information

Individuals need to know that their data is collected, why it is processed and who it is shared with.

You should publish this information in your privacy notice on your website and within any forms or letters you send to individuals.

The information must be:   

* concise, transparent, intelligible and easily accessible;

* written in clear and plain language, particularly if addressed to a child; and

* free of charge.

The information you supply is determined by whether or not you obtained the personal data directly from the individual or from a third party. See the table at the link below for further information on this.

Guide to the GDPR - Right to be informed

Suggested actions

Your privacy notice should:

• let individuals know who you are, why you are processing their data and who you share it with;
• be concise and to the point;
• be easy to understand;
• be clearly signposted and easy to access;
• be written in clear and plain language, particularly if addressed to a child;
• free of charge;
• include different information depending on whether you obtained the data directly from the individual or not; and
• be reviewed regularly to make sure it remains accurate and up to date.                                                                                        

Guidance

Guide to the GDPR - Right to be informed, ICO website

2.2 Communicate the processing of children’s personal data

If your business offers online services directly to children, you communicate privacy information in a way that a child will understand.

More information

You must provide children with the same fair processing information as you give adults. It will be good practice to also explain the risks involved in the processing and the safeguards you have put in place.

Any information directed at the child should be concise, clear, and written in plain language. It should be age-appropriate and presented in a way that appeals to a young audience.

If you are relying upon parental consent as your lawful bases for processing it will be good practice to provide separate privacy notices aimed at both the child and the responsible adult.

If you provide online services and children younger than your target age range are likely to try and access it then it will be good practice to explain any age limit to them in language they will understand.

Suggested actions

Your privacy notice should:

• be concise, transparent, intelligible and easily accessible;
• be written in clear and plain language that can be understood by a child (age appropriate);
• explain the risks involved in the processing and the safeguards you have put in place;
• be free of charge; and
• be reviewed regularly to make sure it remains accurate and up to date.

If you are relying upon parental consent as your lawful bases for processing it will be good practice to provide separate privacy notices aimed at both the child and the responsible adult.

2.3 Right of access

Your business has established a process to recognise and respond to individuals' requests to access their personal data.

More information

Individuals have the right to obtain:

* confirmation that their data is being processed;

* access to their personal data; and

* other supplementary information – this largely corresponds to the information that you should be provide in a privacy notice.

You should provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request:

* is manifestly unfounded or excessive, particularly if it is repetitive, unless you refuse to respond; or

* is for further copies of the same information (that’s previously been provided). This does not mean that you can charge for all subsequent access requests.

The fee must be based on the administrative cost of providing the information.

You will have less time to comply with a subject access request under the GDPR. Information must be provided without delay and at least within one calendar month of receipt. You can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation).

A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).

This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

You must verify the identity of the person making the request, using “reasonable means”.

If the request is made electronically, you should provide the information in a commonly used electronic format.

Suggested actions

You should:

• ensure a process is in place to allow you to recognise and respond to any subject access requests within the timescales ;
• include subject access procedures within your data protection policy;
• provide awareness training to all staff and specialist training to individuals who deal with any requests; and
• consider if you can provide remote access to a secure self-service system to provide the information directly to an individual in response to a request (this will not be appropriate for all organisations, but there are some sectors where this may work well).

Guidance

Guide to the GDPR - Right of access, ICO website

2.4 Right to rectification and data quality

Your business has processes in place to ensure that the personal data it holds remains accurate and up to date

More information

Individuals have the right to have personal data rectified if it is inaccurate or incomplete.

You should respond to a request without delay and at least within one month of receipt.

You can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). If you have disclosed the personal data to a data processor (third party) you must inform them of the rectification where possible.

You should regularly review the information you process or store to identify when you need to do things like correct inaccurate records. Records management policies, with rules for creating and keeping records (including emails) can help.

Conducting regular data quality reviews of systems and manual records you hold will help to ensure the information continues to be adequate for the purposes of processing (for which it was collected).

You should also ensure that there are regular data quality checks completed to provide assurances on the accuracy of the data being inputted by staff.

If you identify any data accuracy issues, communicate lessons learned to staff through ongoing awareness campaigns and internal training.

Suggested actions

You should:

• implement procedures to allow individuals to challenge the accuracy of the information you hold about them and have it corrected if necessary;
• have procedures to inform any data processors (third parties) you have disclosed the information about the rectification where possible;
• create records management policies, with rules for creating and keeping records (including emails);
• conduct regular data quality reviews of systems and manual records you hold to ensure the information continues to be adequate for the purposes of processing (for which it was collected);
• regularly review information to identify when you need to correct inaccurate records, remove irrelevant ones and update out-of-date ones; and
• promote and feedback any data quality trends to staff through ongoing awareness campaigns and internal training.

Guidance

Guide to the GDPR - Right to rectification, ICO website

2.5 Right to erasure including retention and disposal

Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked for it to be erased.

More information

Individuals have the right to be forgotten and can request the erasure of personal data when:

* it is no longer necessary in relation to the purpose for which it was originally collected/processed;

* the individual withdraws consent;

* the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;

* it was unlawfully processed (ie otherwise in breach of the GDPR);

* it has to be erased in order to comply with a legal obligation; or

* it is processed in relation to the offer of information society services to a child.

You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

* to exercise the right of freedom of expression and information;

* to comply with a legal obligation for the performance of a public interest task or exercise of official authority;

* for public health purposes in the public interest;

* archiving purposes in the public interest, scientific research historical research or statistical purposes; or

* the exercise or defence of legal claims.

A written retention policy or schedule will remind you when to dispose of various categories of data, and help you plan for its secure disposal.

You should regularly review your retention schedule to make sure it continues to meet business and statutory requirements and any amendments should be agreed with managers and incorporated into the new schedule.

You should designate responsibility for retention and disposal to an appropriate person.

Suggested actions

You should:

• have procedures in place which allow individuals to request the deletion or erasure of their information your business holds about them where there is no compelling reason for its continued processing;
• have procedures to inform any data processors (third parties) you have shared the information with about the request for erasure;
• have procedures to delete information from any back up systems;
• implement a written retention policy or schedule to remind you when to dispose of various categories of data, and help you plan for its secure disposal;
• regularly review the retention schedule to make sure it continues to meet business and statutory requirements;
• assign responsibility for retention and disposal to an appropriate person;
• have appropriate methods of destruction in place to prevent disclosure of personal data prior to, during and after disposal; and
• if you use third parties to dispose of personal data ensure the contract includes the requirement for them to have appropriate security measures and the facility to allow you to undertake an audit.

Guidance

Disposal of Records, National Archives

2.6 Right to restrict processing

Your business has procedures to respond to an individual’s request to restrict the processing of their personal data.

More information

Individuals have a right to block or restrict the processing of personal data.

When processing is restricted, you are permitted to store the personal data, but not further process it.

You can retain just enough information about the individual to ensure that the restriction is respected in the future.

You will be required to restrict the processing of personal data in the following circumstances:

* Where an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.

* Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your businesses legitimate grounds override those of the individual.

* When processing is unlawful and the individual opposes erasure and requests restriction instead.

* If you no longer need the personal data but the individual requires the data to be retained to allow them to establish, exercise or defend a legal claim.

You may need to review procedures to ensure you are able to determine where you may be required to restrict the processing of personal data.

If you have disclosed the personal data in question to third parties, you must inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.

You must inform individuals when you decide to lift a restriction on processing.

Suggested actions

You should:

• review your procedures to determine where you may be required to restrict the processing of personal data;
• implement a process that will enable individuals to submit a request to you;
• have a process to act on an individual’s request to block or restrict the processing of their personal data;
• have procedures to inform any data processors (third parties) you have shared the information with, if possible; and
• inform individuals when you decide to lift a restriction on processing.

Guidance

Guide to the GDPR - Right to restrict processing, ICO website

2.7 Right of data portability

Your business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.

More information

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

They can receive personal data or move, copy or transfer that data from one business to another in a safe and secure way, without hindrance.

The right to data portability only applies:

* to personal data an individual has provided to a controller;

* where the processing is based on the individual’s consent or for the performance of a contract; and

* where the processing is carried out by automated means. Information must be provided without delay and at least within one month of receipt.

You can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation).

You must provide the personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.

You must provide the information free of charge.

If the individual requests it, you may be required to transmit the data directly to another business where this is technically feasible.

Suggested actions

You should:

• implement a process that will enable individuals to submit a request to you;
• have a process to allow you to recognise and respond to any individual requests in line with your legal obligations and statutory timescales;
• provide the personal data in a structured, commonly used and machine readable format;
• ensure that the medium in which the data is provided has appropriate technical measures in place to protect the data it contains; and
• ensure that the medium in which the data is provided allows individuals to move, copy or transfer that data easily from one organisation to another without hindrance.

Guidance

Guide to the GDPR - Right to data portability, ICO website

2.8 Right to object

Your business has procedures to handle an individual’s objection to the processing of their personal data.

More information

Individuals have the right to object to:

* processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); and

* processing for purposes of scientific/historical research and statistics.

Individuals must have an objection on “grounds relating to his or her particular situation”.

However for processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority or for purposes of scientific/historical research and statistics you must stop processing the personal data unless:

* you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or

* the processing is for the establishment, exercise or defence of legal claims.

Individuals also have the right to object to any processing undertaken for the purposes of direct marketing (including profiling). You must stop processing for direct marketing as soon as you receive an objection. There are no exemptions or grounds to refuse.

You must inform individuals of their right to object “at the point of first communication” and clearly lay this out in your privacy notice.

Suggested actions

You should:

• review your processes and privacy notice(s) to ensure they inform individuals of their right to object “at the point of first communication”. This information should be displayed or given clearly and separately from any other information;
• implement a process that will enable individuals to submit an objection request (this could include an online option);
• have processes in place to investigate an individual’s objection to the processing of their personal data within the legitimate grounds outlined within the GDPR; and
• provide training or raise awareness amongst your staff to ensure they are able to recognise and respond (or know where to refer the request to) to an objection raised by an individual.

2.9 Rights related to automated decision making including profiling

Your business has identified whether any of its processing operations constitute automated decision making and have procedures in place to deal with the requirements.

More information

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

Individuals have the right not to be subject to a decision when:

* it is based on automated processing; and

* it produces a legal effect or similarly significant effect on the individual.

The right does not apply if the decision:

* is necessary for entering into or performance of a contract between you and the individual;

* is authorised by law (eg for the purposes of fraud or tax evasion prevention); or

* is based on the individual’s explicit consent, and your business has put in place suitable measures to safeguard the individual’s rights, freedoms and legitimate interests.

If suitable measures to safeguard the rights of data subjects are required, these must include at least:

* obtain human intervention;

* express their point of view;

* obtain and explanation of the decision and challenge it.

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their:

* performance at work;

* economic situation;

* health;

* personal preferences;

* reliability;

* behaviour;

* location; or

* movements.

If the decision involves the processing of special categories of personal data then the exceptions available to justify the processing are more limited.

Processing can only take place if:

* you have the explicit consent of the individual and suitable measures to safeguard their rights, freedoms and legitimate interests are in place; or

* the processing is necessary for reasons of substantial public interest, proportionate to the aim pursued.

You should exercise particular caution if using automated decision making in relation to a child.

Suggested actions

You should:

• identify whether any of your processing operations constitute automated decision making;
• ensure that within any automated processing or decision making you undertake individuals are able to obtain human intervention, express their point of view and obtain an explanation of the decision and challenge it;
• implement appropriate safeguards when processing personal data for profiling purposes; and
• ensure that any automated decisions do not contravene the restrictions outlined within Article9(2) of the GDPR.

Guidance

Guide to the GDPR - Rights related to automated decision making including profiling, ICO website

Step 3: Accountability and governance

3.1 Accountability

Your business has an appropriate data protection policy.

More information

The GDPR requires you to show how you comply with the principles.

A policy will help you address data protection in a consistent manner and demonstrate accountability under the GDPR. This can be a standalone policy statement or part of a general staff policy.

The policy should clearly set out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance.

The policy should be approved by management, published and communicated to all staff. You should also review and update the policy at planned intervals or when required to ensure it remains relevant.

Suggested actions

You should have a standalone policy statement or general staff policy that:

• sets out your business's approach to data protection together with responsibilities for implementing the policy and monitoring compliance;
• aligns with and covers the measures within this checklist as a minimum;
• is approved by management, published and communicated to all staff; and
• is reviewed and updated at planned intervals or when required to ensure it remains relevant.

Guidance

Policy examples and templates are widely available online.

Your business monitors your own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.

More information

Documenting policies alone is often not enough to provide assurances that staff are adhering to the processes they cover.   You should ensure that you have a process to monitor compliance to data protection and security policies.

Measures that are detailed within the policies should be regularly tested to provide assurances as to their continued effectiveness.

Responsibility for monitoring compliance with the policy should be independent of the persons implementing the policy, to allow the monitoring to be unbiased. Results of compliance testing should then be reported on a regular basis to senior management.

Suggested actions

You should:

• establish a process to monitor compliance to the policies;
• regularly test the measures that are detailed within the policies to provide assurances that they continue to be effective;
• ensure that responsibility for monitoring compliance with the policies is independent of the persons implementing the policy, to allow the monitoring to be unbiased; and
• report any results to senior management.

Your business provides data protection awareness training for all staff.

More information

You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required.

Specialist training for staff with specific duties, such as, information security and database management and marketing, should also be considered.

The regular communication of key messages is equally important to help reinforce training and maintain awareness (for example intranet articles, circulars, team briefings and posters).

Suggested actions

You should:

• provide induction training on or shortly after appointment;
• update all staff at regular intervals or when required (for example, intranet articles, circulars, team briefings and posters); and
• provide specialist training for staff with specific duties, such as marketing, information security and database management.

Guidance

Think privacy toolkit, ICO website

Training checklist for small to medium sized organisations, ICO website

3.2 Data processor contracts

Your business has a written contract with any data processors you use.

More information

Whenever you use a processor you need to have a written contract in place.

The contract is important so that both parties understand their responsibilities and liabilities.   The GDPR sets out what needs to be included in the contract.

In the future, standard contractual clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However at the moment no standard clauses have been drafted.

You are liable for your processor’s compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. In the future, using a processor that adheres to an approved code of conduct or certification scheme may help you to satisfy this requirement – though again, no such schemes are currently available.

Processors must only act on your documented instructions. They will however have some direct responsibilities under the GDPR and may be subject to sanctions if they don’t comply.

Suggested actions

You should;

• ensure that whenever your business uses a processor (a third party who processes personal data on your behalf) there is a written contract in place;
• check both new and existing contracts now include certain specific terms, as a minimum, to ensure that processing carried out by a processor meets all the requirements of the GDPR (not just those related to keeping personal data secure).
• determine whether it would be applicable to use standard contractual clauses from the EU Commission or a supervisory authority (such as the ICO) once drafted;
• investigate whether there are any approved codes of conduct or certification schemes that may be used to help you demonstrate that you have chosen a suitable processor; and
• use the ICO checklist (link below) to help you draft new contracts.

Guidance

Draft GDPR contracts guidance, ICO website

Guide to the GDPR - Contracts, ICO website

3.3 Information risks

Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

More information

You should set out how you (and any of your data processors) manage information risk.

You need to have a senior staff member with responsibility for managing information risks, coordinating procedures put in place to mitigate them and for logging and risk assessing information assets.

Where you have identified information risks, you should have appropriate action plans in place to mitigate any risks that are not tolerated or terminated.

Suggested actions

You should:

• establish a clearly communicated set of security policies and procedures, which reflect business objectives and assign responsibilities to support good information risk management;
• ensure there are processes in place to analyse and log any identified threats, vulnerabilities, and potential impacts which are associated with your business activities and information (risk register); and
• apply controls to mitigate the identified risks within agreed appetites and regularly test these controls to ensure they remain effective.

Guidance

Assessing managing risk, National Archives

3.4 Data Protection by Design

Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.

More information

Under the GDPR, you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated data protection into your processing activities. Under the GDPR, this is referred to as data protection by design and by default.

You should adopt internal policies and implement measures which help your organisation comply with the data protection principles – this could include data minimisation, pseudonymisation and transparency measures.

Suggested actions

You should:

• look to continually minimise the amount and type of data you collect, process and store, such as by undertaking regular information and internal process audits across appropriate areas of the business;
• pseudonymise the personal data where appropriate to render the data record less identifying and therefore reduce concerns with data sharing and data retention;
• regularly undertake reviews of your public-facing documents, policies and privacy notice(s) to ensure they meet the renewed transparency requirements under the GDPR;
• ensure any current and/or new processes or systems enable you to comply with an individual’s rights under the GDPR; and
• create, review and improve your data security features and controls on an ongoing basis.

Guidance

Guide to the GDPR - Data protection by design and default, ICO website

3.5 Data Protection Impact Assessments (DPIA)

Your business understands when you must conduct a DPIA and has processes in place to action this.

More information

DPIAs help you to identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy.

An effective DPIA will allow you to identify and fix problems at an early stage, reducing the associated costs and damage to your reputation which might otherwise occur.

You must carry out a DPIA when:

* using new technologies; and

* when the processing is likely to result in a high risk to the rights and freedoms of individuals.

Processing that is likely to result in a high risk includes but is not limited to:

* systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals;

* large scale processing of special categories of data or personal data relation to criminal convictions or offences; and

* large scale systematic monitoring of public areas.

The DPIA should contain the following information:

* a description of the processing operations and the purposes including, where applicable, the legitimate interests pursued by your business;

* an assessment of the necessity and proportionality of the processing in relation to the purpose;

* an assessment of the risks to individuals; and

* controls that you put in place to address any risks you’ve identified (including security).

Suggested actions

You should:

• establish a policy which sets out when you should conduct a DPIA, who will authorise it and how it will be incorporated into the overall project plan. A DPIA screening process may be a useful tool in determining whether a DPIA is required;
• assign responsibility for completing DPIAs to a member of staff who has sufficient control over the project to effect change eg Project Lead/Manager;
• where a DPIA is required, ensure the process is completed before the project begins;
• ensure your process for completing a DPIA includes consultation with the DPO/ data protection lead, data processors, third party contractors and with the public/their representatives in most cases;
• ensure the information contained within the DPIA complies with the requirements under the GDPR and that the results are detailed within a report;
• where a DPIA indicates that the processing would result in a high risk and you are unable to mitigate those risks by reasonable means, ensure your business is aware to follow the ICO consultation process to seek its opinion as to whether the processing operation complies with the GDPR.

Guidance

Guide to the GDPR - Data protection impact assessments, ICO website

Your business has a DPIA framework which links to your existing risk management and project management processes.

More information

A DPIA can address multiple processing operations that are similar in terms of the risks, provided adequate consideration is given to the specific nature, scope, context and purposes of the processing.

You should start to assess the situations where it will be necessary to conduct one:

* Who will do it?

* Who else needs to be involved?

* Will the process be run centrally or locally?

If the processing is wholly or partly performed by a data processor, then that processor must assist you in carrying out the DPIA. It may also be appropriate to seek the views of data subjects in certain circumstances.

Suggested actions

You should:

• review your existing risk and project management processes and ensure there is consistency and links with your DPIA processes in place;
• drive awareness of DPIAs across your business, and particularly amongst risk and project teams so that they understand the requirements; and
• ensure DPIA documentation is readily available for staff to use and that staff have had training on how to conduct the assessment.

3.6 Data Protection Officers

Your business has nominated a data protection lead or Data Protection Officer (DPO).

More information

It is important to make sure that someone in your business, or an external data protection advisor, takes responsibility for data protection compliance.

You may need to appoint a DPO. Any business can appoint a DPO but you must do so if you:

* are a public authority (expect for courts acting in the judicial capacity);

* carry out large scale systematic monitoring of individuals (eg online behaviour tracking); or

* carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

The DPO should work independently, report to the highest management level and have adequate resources to enable your organisation meet its GDPR obligations.

The DPO’s minimum tasks are to:

* inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.

* monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.

* be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

Suggested actions

You should:

• designate responsibility for data protection compliance to a suitable individual;
• support the appointed individual through provision of appropriate training;
• ensure there are appropriate reporting mechanisms in place between the individual responsible for data protection compliance and senior management;
• register the details of your DPO with the ICO; and
• document the internal analysis carried out to determine whether or not a DPO is to be appointed, unless it is obvious that your organisation is not required to designate a DPO.

Guidance

Guide to the GDPR - Data protection officers, ICO website

3.7 Management Responsibility

Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

More information

You should make sure that decision makers and key people in your business are aware of the requirements under the GDPR.

Decision makers and key people should lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture, within your business, for data protection.

They should take the lead when assessing any impacts to your business and encourage a privacy by design approach.

They should help to drive awareness amongst all staff regarding the importance of exercising good data protection practices.

Suggested actions

You should:

• clearly set out your business’s approach to data protection and assign management responsibilities;
• ensure you have a policy framework and information governance strategy in place to support a positive data protection and security culture which has been endorsed by management;
• assess and identify areas that could cause data protection or security compliance problems and record these on your business's risk register;
• deliver training which encourages personal responsibility and good security behaviours; and
• run regular general awareness campaigns across your business to educate staff on their data protection and security responsibilities and promote data protection and security awareness and compliance.

Guidance

Think Privacy training, ICO website

Step 4: Data security, international transfers and breaches

4.1 Security policy

Your business has an information security policy supported by appropriate security measures.

More information

You should process personal data in a manner that ensures appropriate security.

Before you can decide what level of security is right for you, you will need to assess the risks to the personal data you hold and choose security measures that are appropriate to your needs.

Keeping your IT systems safe and secure can be a complex task and does require time, resource and (potentially) specialist expertise.

If you are processing personal data within your IT system(s) you need to recognise the risks involved and take appropriate technical measures to secure the data.

The measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have.

A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures that you will be implementing and the roles and responsibilities staff have in relation to keeping information secure.

Suggested actions

You should:

• develop, implement and communicate an information security policy;
• ensure the policy covers key information security topics such as network security, physical security, access controls, secure configuration, patch management, email and internet use, data storage and maintenance and security breach / incident management;
• implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with your security policy
• implement periodic checks for compliance with policy, to give assurances that security controls are operational and effective; and
• deliver regular staff training on all areas within the information security policy.

Guidance

The ICO has previously produced guidance to assist organisations in securing the personal data they hold. We are working to update existing guidance to reflect GDPR provisions and once completed, this section will expand to include this information.

In the meantime, the existing guidance is a good starting point for organisations. This is located in the guidance index under the ‘security’ heading.

Small businesses guidance, National Cyber Security Centre website

4.2 International transfers

Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area

More information

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.

These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.

Suggested actions

You should:

• ensure that any data you transfer outside the EU is handled in compliance with the conditions for transfer set out in Chapter V of the GDPR;
• ensure that there is adequate safeguards and data security in place, that is documented in a written contract using standard data protection contract clauses; and
• implement measures to audit any documented security arrangements on a periodic basis.

Guidance

Guide to the GDPR - International transfers, ICO website

4.3 Breach notification

Your business has effective processes to identify, report, manage and resolve any personal data breaches.

More information

The GDPR introduces a duty on all organisations to report certain types of personal data breaches to the ICO and, in some cases, to the individuals affected.

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly and without undue delay.

In all cases you must maintain records of personal data breaches, whether or not they were notifiable to the ICO.

A notifiable breach has to be reported to the ICO within 72 hours of the business becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide additional information in phases. You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.

You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.

In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place.

Suggested actions

You should:

• train staff how to recognise and report breaches;
• have a process to report breaches to the appropriate individuals as soon as staff become aware of them, and to investigate and implement recovery plans;
• put mechanisms in place to assess the likely risk to individuals and then, if necessary, notify individuals affected and report the breach to the ICO; and
• monitor the type, volume and cost of incidents to identify trends and help prevent recurrences.

Guidance

Guide to the GDPR - Data breaches, ICO website

Closing comment

Again, I want to stress I did not write the above content - this all comes from the ICO website - but I hope laying this out like this is useful.