Hi, how are ya? It’s September, nearly the end of Summer and more than three months post 25th of May. The sky didn’t fall in and the holidays have been great but there is a sense of uncertainty in the air. Do you know what you’re supposed to be doing for your GDPR compliance now that The Date has passed? How many of the ten points (in no particular order) below do you have covered?
1. The Data Protection Officer and Supporting Structure
Have you appointed a DPO? Do you know if you need to appoint a DPO? Smaller businesses have battled with this question, especially quantifying what ‘large scale processing’ means in their context. Querying the Data Protection Commission has resulted in some rather ambiguous answers leaving it up to the business to ultimately decide whether a DPO should be appointed. If you feel you are not required to appoint a DPO in an official capacity, you should at the very least have appointed somebody in your business to be the data protection lead. Further to this, you should have established a data protection committee (size dependent on your organisational structure) to support the DPO or lead in their role and ensure the data protection policies in your business are being heard, understood and adhered to.
2. Awareness and Training
This point is short. Make sure that every person in your business from top to bottom and side to side has at the very least experienced a GDPR awareness training programme. Further to this, any person in your business who is required to abide by policies and procedures should be trained on those specific policies and procedures. And, further to this, you should have at this stage conducted an assessment on your business to determine who needs specialised and specific data protection training relevant to their position in the business. Everybody in the business should know what the procedure is for subject access requests (where data subjects exercise their rights) and incident management.
3. Data Subject Rights
Do you know what rights a data subject enjoys? Are you equipped to deal with those rights? There is no exemption in this regard for smaller businesses. You will have to deal with data subject rights whether you want to or not. Data subject rights are intricately tied up with your Article 30 records of processing, the legal basis you process on and the policies and notices you have drawn up and issued. Be aware, especially when identifying the basis for processing, always of the rights your data subjects enjoy and ensure there is a sanctioned procedure for dealing with these rights within the required time frames. If in doubt as to whether you can meet your obligations in law, simulate an exercise within your business.
4. Incident Management and Data Breaches
Your incident management procedure should be so tight right now that if Harry Houdini were inside the flow, he would not find a way out. Do you know what constitutes a data breach and a reportable data breach? And by reportable, I mean reportable to the Data Protection Commission and reportable to the data subject? Do you know what measures you can take to protect data should it be involved in an incident or breach? How long would it take you to find out about a data breach in your business? Knowing where all your data is, who manages your data stores and the security measures attached to each data asset will go a long way to helping you here. Again, if in doubt as to whether you can meet your obligations in law and very specifically here that you meet the 72-hour reporting requirement, simulate an exercise within your business.
5. Article 30 Records of Processing
You will most likely be required to keep article 30 records of processing no matter the size of your business. If you engage in processing that is likely to result in a risk to the rights and freedoms of data subjects, processing that is not occasional OR processing that includes special categories of data or personal data relating to criminal convictions and offences you are required to keep these records. Note especially the second point: processing that is not occasional. This means any regular data processing activity occurring in your business. There is no official or prescribed format for these records, so you are permitted to keep records in a manner that suits your business.
6. Policies and Notices
Do you have an up-to-date and adequate data protection policy for your business? Have you aligned your privacy notices to this data protection policy? If your data subjects include children, write the notices in such a way that they will understand them. Are you serving your notices correctly to your data subjects and making every effort to sign-post to them at data collection points? If they are long and unwieldy, try layering the notices. Again, there is no set format or template for these documents, however, there are essential elements that must be included, and you should be writing them in clear and plain language.
7. International Transfers of Personal Data
We will assume that you have a fair idea of the data flow within your business as well as the data flow in and out of your business. If any data flows involve the international transfers of personal data, are you certain of the mechanism under which you are transferring the data? Are you relying on an adequacy decision? Are you relying on one of the other nine measures available? And, have you documented all the above?
8. Data Processing Agreements
Data flows will reveal to you whether you are the data controller, joint controller, data processor or third party. Every link in this chain should be covered by a written agreement that is compliant with current law and that is kept up to date. Every one of these written agreements should contain appropriate security and other data protection safeguards. Further, these agreements need to clearly outline where responsibilities and liability lie. I quote the Data Protection Commission that says that informal and ad-hoc arrangements will not be acceptable, where personal data is involved.
9. Data Protection and Privacy Program
All the above contribute to a formal privacy program within the business. The GDPR is here to stay. The GDPR should be discussed at your meetings. The GDPR should be considered when entering new relationships in business. The GDPR must be considered at the beginning of all your projects and all current projects need to be examined through the lens of the GDPR. The GDPR needs to be infused into business as usual. The GDPR is your new way of life. Make friends with it and be surprised at the positive effects. Deals happen easier when you can prove your compliance, your business has a lovely spring clean, you’ll likely discover a few redundant on-going contracts that can save you money when cancelled and your employees feel confident in their roles.
10. Audit Readiness
Which brings us to the last point, being ready for a data protection audit. You can call for an independent audit on your business. You might be required to undergo an audit prior to a business deal being approved. If you are a data processor, more than likely you must agree to regular or periodic audits on your business by data controllers who may wish to satisfy the veracity of your claims. You also might face the reality that the Data Protection Commission has chosen your business for an audit. Are you ready for that? If you’re not sure, have a look at the guide to the audit process the Data Protection Commission makes available.
If you need assistance with any of the above, we are here to walk with you down this road as a partner and helping hand.