Lesson 3

GDPR compliance step 3: Implementing your programme

Becoming Compliant

Now comes the time to implement the programme. Are you going to do this using spreadsheets that you generate internally? Are you going to hire a consultant to help you with the process? Or are you going to look for an online collaborative service that will help you track your implementation?

Reporting

Before you begin implementing your programme, make sure you know how you’re going to report on it. Ask yourself how you’ll get oversight on the progress of compliance checklists. And how you’ll know which tasks are assigned to which individuals. You’ll also need to know how to report to management on your progress.

Emails and spreadsheets can quickly become inefficient. There’s also the possibility of overcrowded inboxes and missed versioning. Often it’s a challenge to get global oversight of where you are in the process. So we suggest using an online software platform.

Compliance analysis and checklists

It’s vital that you comply with the requirements for the proper processing of personal data, from its collection through to its deletion. To do this you’ll need to perform a gap analysis by going through checklists related to data subject consent, digital marketing, automated decision making, HR practices, and IT use and security. Some areas require significant analysis. Your human resources department will need to review recruitment practices, employment records, employee monitoring and employee health data practices. Your IT department will need to review the use of IT, security controls and information quality.

While doing this analysis you need to be able to track the status of the compliance items that track to the regulation. For that you need either a trained DPO, a consultant or a software service that can provide you with those checklists.

You also need to be able to assign and gain feedback and oversight on open items, and to assign risk levels to them so your organisation can determine the importance of addressing the non-compliant items. To this end, a risk analysis can be done to ensure the proper resources are dedicated to the issue.

Governance

The GDPR compels transparency and requires an organisation to communicate with individuals through a privacy notice, exactly which personal details are being collected and how they’re being processed or used. Additionally, an organisation must communicate what it’s doing to protect personal data and it must communicate to individuals their data rights and how they can exercise those rights.

Organisations will need to review and most likely re-draft their privacy notices in a concise, transparent, intelligible and easily accessible form using clear and plain language. Particular attention needs to be paid when providing information addressed to children.

Furthermore, organisations must include all of the prescriptive elements detailed in the GDPR for privacy notices. They can ask lawyers or consultants to help with this process or work with a software provider who can provide them with privacy notice templates. Some providers like GDPR365 provide a complete privacy notice generated from the data mapping exercise and a link to post the notice in all the relevant website data collection locations.

Organisations may also need to adapt their internal data management and data protection policies, as well as standards and rules around information handling and use. These policies should then be used to drive data protection impact assessments (DPIAs) and existing and new organisational  practices. These policies will be included in employee training programmes to ensure staff are aware of the policies and their responsibilities under the GDPR.

Staff training

This deserves special mention because it’s crucial to GDPR compliance. GDPR compliance is not just about technology and processes. If staff are not aware, especially staff that have access to personal data, then non-compliance is a real possibility regardless of the quality of systems in place.

You need to make sure employees are aware of the different categories of data. They need to know that the purpose for which data is processed has to be lawful. They need to be aware of data subject rights so they can ensure data subjects are protected. They need to be aware of controller/processor relationships and the concepts of data minimisation and data retention. Most importantly they need to be aware of their role in data protection, especially with regard to issues like cyber security.

We suggest personalised training sessions for individuals who have access to personal data, and email or written training for the rest of staff. Policies should be regularly sent out to all staff members, and a system of recording the receipt and acceptance of these policies needs to be in place so that your organisation has an audit trail of its training activities.

Subject access requests

An organisation must adapt its internal processes to comply with new requirements concerning the exercise of data subjects' rights, in particular:

  • The data controller must respond to a request without delay and within one month. This time period can be extended for a maximum of two further months if the request is particularly complex or if the data controller is facing a high number of requests.

  • No charges may be imposed on the data subject, except if the request is manifestly unfounded or excessive. If a charge is imposed on the data subject, the charge should be reasonable and the data controller must prove the manifestly unfounded or excessive nature of the request.

  • If there’s serious doubt regarding the identity of the individual making the request, the data controller may request additional information necessary to confirm this identity.

  • The controller must be aware of the limitations around including the personal data of a third party in the response to the access request.

 Due to the risk of non-response to a data subject request, we strongly recommend that a process outside of normal support and client query channels be set up specifically to deal with subject access requests. Then each request can be registered and the time taken to respond to and close the case can also be logged.

Furthermore, the new rights of erasure, restriction of processing and data portability will require significant changes to an organisation’s operational processes and IT systems to ensure data subjects can exercise their rights effectively. The data map will help you understand all the locations where the data subjects’ data is being processed. An organisation will need to be able to retrieve the data from its internal systems, but it’ll also need to make sure its processors can access any data subject information they hold as well as action it in the event of an erasure or restriction.

Needless to say, it won’t be easy for data controllers to comply with their obligation to take reasonable steps to inform third parties of the request to have data erased, especially if the data has gone viral.

Data breach incident management

Article 41(1)(12) of the GDPR defines a personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.

Data controllers have an obligation to notify the supervisory authority within 72 hours of gaining knowledge of the data breach. If the data breach is likely to result in a high risk to the rights and freedoms of natural persons the controller must also inform the affected data subjects. The GDPR is prescriptive about the information that needs to be provided to the supervisory authority and how the data subjects are informed.

Data processors have an obligation to notify the controller in the event of a data breach and the controller has an obligation to make the notification known to the supervisory authority. An organisation needs to make sure its breach incident management process is adapted so that a determination can be made as to whether data subjects need to be informed, and so that they can be reported to the data supervisory authority within the required time frame.

Processors and legal grounds for processing

The data mapping exercise should’ve helped with this by identifying all the data subjects and the uses of their personal data as well as lawful grounds on which the data is collected and used.

There needs to be a processor contract in place with each processor. The lawful basis for the processing needs to be defined and the contract should state that the processor is only able to process the personal data for those purposes. Additionally, the contract must ensure that the processor has acceptable security practices in place and that it’ll support the processor in the event of a data subject request or a data breach.

If processors are outside the EU then organisations must make sure there’s an appropriate legal safeguard in place for the transfer of the data.

All processor agreements must be reviewed and renegotiated and brought into alignment with the GDPR.

International data transfers

While the regulation doesn’t change substantially regarding international transfers there are some changes that need to be addressed to ensure compliance.

If there isn’t an EU adequacy decision in place, an entity can only transfer personal data to a third party or international organisation if there are ‘appropriate safeguards’. These are detailed in Article 44 and can be legally binding enforceable instruments between public bodies, binding corporate rules, standard Commission (or DPA) approved contract clauses, approved codes of conduct or approved certification mechanisms.

As part of the compliance process, organisations should review their data flows and ensure that appropriate transfer mechanisms are in place.

Accountability

As you can see there are lots of action points that need to be addressed to achieve compliance. One of the more critical is the ability to demonstrate the actions you’ve taken in the event of an audit. So make sure your implementation activities are all documented and easily accessible.

If you’re looking for a system that will not only help you create the programme but also document every step along the way, look no further than GDPR365.

GDPR365 enables you to easily get your compliance documentation in place, train your employees and manage your direct marketing, HR and IT services. GDPR365 manages and stores all contract documents with your processors and for sharing agreements. GDPR365 provides full workflows to manage data subject access requests and breaches in the security of your personal data.

GDPR365 can help you prepare for the GDPR. Our team will help you understand how the regulation applies to you and provide a self-service tool with concrete steps to achieve and ensure ongoing GDPR compliance.

Register a no-obligation account Please contact us to discuss using GDPR365 to become compliant