GDPR tips: How to ensure ongoing compliance with GDPR

Nine things to do ensure you're compliant with the General Data Protection Regulation (GDPR) when it takes effect on 25 may 2018

Tom Macaulay February 14, 2018

Twitter

Facebook

Google Plus

GDPR has arrived, but that doesn't mean the compliance journey is over.

Information Commissioner Elizabeth Denham describes GDPR as "the biggest change to data protection law for a generation". Breaches of the complex regulation could result in a fine of up to €20 million or four percent of global turnover, but most organisations will still have much work to do beyond the deadline.

Follow these tips to ensure your organisation is GDPR compliant.

1. Understand GDPR

GDPR was adopted by the European Parliament in April 2016 to bring data protection rules up-to-date with contemporary concerns around the use of personal information. It applies to all data processed within the EU and to data on EU subjects used by companies outside the union.

The rules come into effect on 25 May 2018 and will continue to apply in the UK after the country leaves the EU. The GDPR rules will be mirrored in the Data Protection Bill that is currently going through Parliament.

It applies to applies to both 'controllers' and 'processors', and covers existing rules that have now been strengthened as well as a series of new rights for data subjects.

2. Identify and document the data you hold

Conduct a thorough investigation into the data you currently store. Identify where it's held, any data that's personal or sensitive, how it's processed and who has access to it. Document this information as thoroughly as possible.

"Have an initial catalogue [so] that you know the personal data in your business, where it is, its lineage and what processing you do," is the minimum level of record-keeping suggested by Richard Hogg, IBM's Global GDPR Evangelist.

"That would form the basis that you could use if and when the regulator comes knocking from May next year."

3. Review current data governance practices

Gartner recommends that organisations demonstrate accountability for all of their processing activities in a transparent manner.

Evaluate your current data governance practices and policies, document the lawful basis for any processing and identify any areas that require improvements. Internal records must be kept of any processing activities, with all data tagged and classified.

Check how data flows across different borders both within the EU and outside it, and pay particular attention to practices involving children's data, as GDPR has significantly strengthened the security requirements around processing, age verification and consent for such information.

The ICO has produced a series of data protection self-assessment toolkits to help organisations check their preparations in general and around information security, direct marketing, records management, data sharing, subject access and CCTV.

4. Check consent procedures

Under GDPR, consent for any data processing must be specific, granular, and auditable. The consent needs to be simple to understand and easy to withdraw.

The new requirements for consent could force some organisations to approach current data subjects again to request new permission to use their data. Review your current consent processes and establish when consent is needed and how it should be provided to ensure your obligations are being fulfilled.

"GDPR is focusing on the record-keeping around consent and the audit trail you need to have," says head of international strategy and intelligence at the ICO Steve Wood.

"Consent has got to be easy to withdraw, and you're going to need to be able to clearly name your organisation and make that clear to individuals, and also the third parties whom the data may be shared with."

Keep clear records of all consent taken, establish straightforward withdrawal mechanisms and regularly review procedures to keep up with any changes to processing activities.

5. Assign data protection leads

A data protection officer (DPO) is necessary for public authorities or organisations that do large-scale monitoring of individuals or of special categories of data or data relating to criminal convictions and offences.

Even if a DPO is not essential for your organisation, designating an individual responsible for data governance will help keep GDPR compliance on track.

Gartner recommends that organisations appoint an individual to act as a contact point for the data protection authority (DPA) and data subjects, and a DPO to ensure processing operations are compliant.

Read next: How are companies preparing for GDPR?

6. Establish procedures for reporting breaches

Put processes in place for detecting, investigating and reporting breaches and develop an internal plan for responses. Data breach testing can ensure your procedures are effective.

A report by privacy think tank the Centre for Information Policy Leadership (CIPL) recommends that organisations "conduct 'dry runs' of breach notification plans, have cyber insurance, or retain public relations and forensic experts."

Read next: How Dell EMC is preparing for GDPR

7. Develop a framework of policies and procedures to support rights of data subjects

Ensure your procedures are adequate for data subjects to exercise their extended rights under GDPR. These include the right to be informed; the right of access; the right to rectification; the right to restrict processing; the right to data portability; the right to object, the right to not be subject to automated decision-making including profiling; and the right to erasure (the right to be forgotten).

Consider how the organisation can respond to any requests to implement each of these rights, who should be responsible, what systems will be required to support them and how to ensure that information can be provided in a commonly used format.

Establishing a risk assessment framework is a sensible way of managing data privacy and ensuring compliance. The ICO recommends including a description of the processing operations and purposes, an assessment of the needs of the processing in relation to the purpose and an assessment of the risks and the measures in place to address them.

8. Raise awareness

The GDPR requires privacy protection by design and by default. Best practices for information governance should be embedded throughout the organisation and at every stage of each business process.

"Data is critical to many business processes, products, and services," explains the Centre for Information Policy Leadership (CIPL) report. "This is why GDPR implementation must be a concerted effort across the organisation, with the DPO working hand-in-hand with Chief Data Officer (CDO), Chief Information Officer (CIO), Chief Information Security Officer (CISO) and other senior leadership.”

Training should be put in place to ensure that every staff member understands the requirements of GDPR and their individual responsibilities for ensuring compliance.

"I see the chief privacy officer as a real champion for many in the organisation to help get their awareness raised and to make sure that people understand this,” suggests Nick Coleman, IBM's global head of cyber security intelligence.

9. Create a GDPR compliance implementation plan

After establishing which current policies and practices need amending, establish a plan for implementing the necessary changes.

"It's having a battle plan," says Coleman. "The practical [part] is prioritise the resources, prioritise support, prioritise what capabilities you need at what level of maturity to be able to get you in a state that you feel comfortable with by May 2018."

Read next: How IBM is preparing for GDPR

10. Consider a GDPR compliance tool

Software companies keen to cash in on the GDPR are releasing a growing number of products to support compliance with the regulation.

None will guarantee that your data practices are in order, but a number of them that can help you get ready for the regulation. They include data discovery tools, consent management systems, self-assessment toolkits and comprehensive data management platforms.

Computerworld UK has compiled a list of some of the best products that help organisations prepare for GDPR.

11. Stay positive

Complying with GDPR will require significant time and effort, but there are positive implications to the regulation, as Dunham explains.

"One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world," she wrote in the ICO blog in November. "That is why both the ICO and UK government have pushed for reform of the EU law for several years.

"The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information."