The ICO’s 12 steps to compliance
(translated into actions)
Step 1: Awareness
Action: The importance here is to tackle awareness in all stakeholders. Every employee needs to be aware of GDPR, from front of house staff to back office staff to operations, finance and HR. And if your employees handle data, they need awareness of what to do and how to do it, not just awareness of GDPR itself.
Step 2: Information you hold
- Review the data you have (all of it – from customer details to employee records to suppliers)
- Review where this data came from
- Review how long you have had the data for
- Review sign up processes
- Document the Legal basis for storing the data (i.e. opted in)
Step 3: Communicating Privacy Information
Review your privacy notices – are they GDPR compliant? If not, make a start now on rewriting them and repositioning them. Use the GDPR’s code of practice for privacy notices to help with GDPR compliance.
STEP 4 Individuals rights
- right to be informed;
- right of access;
- right to rectification;
- right to erasure;
- right to restrict processing;
- right to data portability;
- right to object; and
- right not to be subject to automated decision making and profiling.
Ensure you have the processes in place to comply with all of the above, within the required timescale. Who in the organisation is responsible for accessing/providing this information to individuals? Are you open and transparent about how individuals contact you to exercise their rights? Do you have a policy in place for indiviuals on a) accessing data b) timescale c) complaints procedure?
The newest point here is data portability – the right to request that data be transferred to another organisation (think banks, energy suppliers etc). You need to ensure that you can export such data in a commonly used machine readable form, free of charge.
STEP 5 Subject access requests
Action: Policies, procedures and staff need to be updated to comply with this. If you forsee a large number of requests, is it more feasible to develop a system whereby individuals can access their data themselves?
NB You can refuse requests, or charge for them, if they are unfounded or exessive. But you must tell the individual why you refuse the request and that they can take the refusal on to the supervisory body and the court.
STEP 6 Lawful basis for processing personal data
Under GDPR, some individuals’ rights will be modified depending on your lawful basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.
Review the legal bases you use for processing personal data to ensure these are still relevant and will be GDPR compliant. Ensure these are accessible under your privacy terms.
STEP 7 Consent
Consent will need to be renewed from each individual in your existing databases. And the way you seek and process consent will also be tightened up.
In the words of the ICO, Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent
Individuals’ consent must be specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked
boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw
Seriously, this is huge. Our advice? Read this advice from the ICO thoroughly.
STEP 8 Children
If you collect data, you must ensure you have mechanisms in place to a) verify age and b) seek parental consent for children under 13. If your business works in the context of commercial internet services such as social networking, your data collection notices must be written in a language that children will understand.
STEP 9 Data breaches
You may only have 72 hours from discovery of a breach to notify the relevant data protection authority of the breach. You must also tell individuals directly if their personal data has been compromised. For now, make sure you have the right procedures in place to detect,
report and investigate a personal data breach.
STEP 10 Data protection by design and data protection impact assessments (PIA)
STEP 11 Data Protection Officers (DPOs)
Decide who will be responsible for GDPR within your organisation. Where does this person sit – internal or external? Where are they within the structure of your organisation? Who do they report to and who governs this person/their processes? Do they have the right experience training and support?
STEP 12 International
where your organisation operates in more than one member state, you should identify the lead supervisory authority.
We take GDPR seriously
I’m Ragnar, Director of Hero IT Support. I’m a GDPR practitioner and an expert in data compliance:
- 10+ years experience as a company Director
- Software developer
- BSc, Computer Science and Artificial Intelligence
- Directly responsible for data security/transfer/encryption for our clients
- Business technology advisor and public speaker
- GDPR Practitioner
Expert knowledge of data processing, transfer, storage and collection is essential for the modern day IT Support company.
If you need help in making sense of exactly how GDPR will affect you, take a look at the resources below. I will continue to blog about GDPR as the waters become less murky and the ICO releases more information.