GDPR tips: How to comply with the General Data Protection Regulation

Our guide to GDPR compliance for organisations in the UK

Tom Macaulay December 7, 2018

Twitter

Facebook

GDPR has been in force for more than six months, but many organisations are still struggling to comply with the General Data Protection Regulation.

The International Association of Privacy Professionals (IAPP) revealed in October that only 56 percent of companies surveyed for its Annual Privacy Governance Report consider themselves to be fully compliant with the regulation, while 19 percent said they will never be compliant.

Follow these tips to ensure your organisation isn't one of them.

1. Understanding GDPR

GDPR was adopted by the European Parliament in April 2016 to bring data protection rules up-to-date with contemporary concerns around the use of personal information. It applies to all data processed within the EU and to data on EU subjects used by companies outside the union.

The rules came into effect on 25 May 2018 and have been mirrored in the Data Protection Act 2018 to ensure that they continue to apply in the UK after the country leaves the EU.

The regulation applies to applies to both "controllers" and "processors" of data, and covers existing rules that have now been strengthened as well as a series of new rights for data subjects.

2. Identify and document the data you hold

Conduct a thorough investigation into the data you store. Identify where it's held, any data that's personal or sensitive, how it's processed and who has access to it. Document this information as thoroughly as possible.

"Have an initial catalogue [so] that you know the personal data in your business, where it is, its lineage and what processing you do," is the minimum level of record-keeping suggested by Richard Hogg, IBM's Global GDPR Evangelist.

"That would form the basis that you could use if and when the regulator comes knocking".

3. Review current data governance practices

Gartner recommends that organisations demonstrate accountability for all of their processing activities in a transparent manner.

Evaluate your current data governance practices and policies, document the lawful basis for any processing and identify any areas that require improvements. Internal records must be kept of any processing activities, with all data tagged and classified.

Check how data flows across different borders both within the EU and outside it, and pay particular attention to practices involving children's data, as GDPR has significantly strengthened the security requirements around processing, age verification and consent for such information.

The ICO has produced a series of data protection self-assessment toolkits to help organisations check their preparations in general and around information security, direct marketing, records management, data sharing, subject access and CCTV.

4. Check consent procedures

Under GDPR, consent for any data processing must be specific, granular, and auditable. The consent needs to be simple to understand and easy to withdraw.

The new requirements for consent could force some organisations to approach current data subjects again to request new permission to use their data. Review your current consent processes and establish when consent is needed and how it should be provided to ensure your obligations are being fulfilled.

"GDPR is focusing on the record-keeping around consent and the audit trail you need to have," says Steve Wood, head of international strategy and intelligence at the ICO.

"Consent has got to be easy to withdraw, and you're going to need to be able to clearly name your organisation and make that clear to individuals, and also the third parties whom the data may be shared with."

Keep clear records of all consent taken, establish straightforward withdrawal mechanisms and regularly review procedures to keep up with any changes to processing activities.

5. Assign data protection leads

A data protection officer (DPO) is necessary for public authorities or organisations that do large-scale monitoring of individuals or of special categories of data or data relating to criminal convictions and offences.

Even if a DPO is not essential for your organisation, designating an individual responsible for data governance will help keep GDPR compliance on track.

Gartner advises organisations to appoint an individual to act as a contact point for the data protection authority (DPA) and data subjects, and a DPO to ensure processing operations are compliant.

The International Association of Privacy Professionals (IAPP) reported in October 2018 that 75 percent of respondents to its annual survey had now appointed at least one DPO.

"This position is not just fulfilling a legal obligation; moreover, organisations recognise that it behooves them to have access to GDPR expertise for internal operations, as well as to interface with regulators, business partners, and consumers," says Rita Heimes, general counsel and research director at IAPP.

6. Establish procedures for reporting breaches

Put processes in place for detecting, investigating and reporting breaches and develop an internal plan for responses. Data breach testing can ensure your procedures are effective.

A report by privacy think tank the Centre for Information Policy Leadership (CIPL) recommends that organisations "conduct 'dry runs' of breach notification plans, have cyber insurance, or retain public relations and forensic experts."

7. Develop a framework of policies and procedures to support data subject rights

Ensure your procedures are adequate for data subjects to exercise their extended rights under GDPR. These include the right to be informed; the right of access; the right to rectification; the right to restrict processing; the right to data portability; the right to object, the right to not be subject to automated decision-making including profiling; and the right to erasure (the right to be forgotten).

Consider how your organisation can respond to any requests to implement each of these rights, who should be responsible, what supporting systems will be required, and how to ensure that information can be provided in a commonly used format.

Establishing a risk assessment framework is a sensible way of managing data privacy and ensuring compliance. The ICO recommends including a description of the processing operations and purposes, an assessment of the needs of the processing in relation to the purpose and an assessment of the risks and the measures in place to address them.

8. Raise awareness

GDPR requires privacy protection by design and by default. Best practices for information governance should be embedded throughout the organisation and at every stage of each business process.

"Data is critical to many business processes, products, and services," explains the Centre for Information Policy Leadership (CIPL) report. "This is why GDPR implementation must be a concerted effort across the organisation, with the DPO working hand-in-hand with Chief Data Officer (CDO), Chief Information Officer (CIO), Chief Information Security Officer (CISO) and other senior leadership.”

Training should be put in place to ensure that every staff member understands the requirements of GDPR and their individual responsibilities for ensuring compliance.

"I see the chief privacy officer as a real champion for many in the organisation to help get their awareness raised and to make sure that people understand this,” suggests Nick Coleman, IBM's global head of cyber security intelligence.

9. Create a GDPR compliance implementation plan

After establishing which current policies and practices need amending, establish a plan for implementing the necessary changes.

"It's having a battle plan," says Coleman. "The practical [part] is prioritise the resources, prioritise support, prioritise what capabilities you need at what level of maturity to be able to get you in a state that you feel comfortable with".

10. Secure and encrypt PII

Organisations that lose personally identifiable information (PII) in a breach will have to notify each individual affected if the data is unencrypted. If they encrypt the information, only the Information Commissioners Office (ICO) needs to be advised, as the encryption will prevent anyone from reading the data.

"Companies must, automatically, move any personally identifiable data to a secure location, where encryption is applied," says Colin Tankard, managing director of data security company Digital Pathways.

"It seems a no brainer to me to do this, rather than face a huge fine, high costs of managing and notifying thousands of people, as well as handling their subsequent questions, the public disclosure and the bad press."

11. Consider GDPR compliance tools

Software companies keen to cash in on the GDPR are releasing a growing number of products to support compliance with the regulation.

None will guarantee that your data practices are in order, but a number of them that can help you get ready for the regulation. They include data discovery tools, consent management systems, self-assessment toolkits and comprehensive data management platforms.

Computerworld UK has compiled a list of some of the best products that can help organisations prepare for GDPR.

12. Make any AI explainable

Article 22 of GDPR gives individuals the right to know how any data-driven decisions about them have been made, from a credit decision to the result of a fraud investigation. This can be difficult in the case of machine learning systems and other forms of black box AI.

Tools are available that can help open up these black boxes to make AI explainable.

Analytics software firm FICO, for example, can build representative models that are more transparent than the model used, cuts out unimportant variables to make AI more interpretable, or adds noise to one variable and assess the sensitivity of a decision to that noise.

"There’s models that are very transparent. In other words, the models can be decomposed and it's pretty easy to explain how they operate," says Dr Stuart Wells, Chief Product and Technology Officer at FICO.

"But there are also neural networks, gradient boost, random forests, which are more black box models, in which case you need to take different approaches to explain them.”

13. Stay positive

Complying with GDPR will require significant time and effort, but there are positive implications to the regulation, as ICO Commissioner Elizabeth Dunham explains.

"One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world," she wrote in the ICO blog in November. "That is why both the ICO and UK government have pushed for reform of the EU law for several years.

"The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information."

GDPR tips: How to comply with the General Data Protection Regulation

Our guide to GDPR compliance for organisations in the UK

Tom Macaulay

Follow:

Share