The Information Commissioner’s Office carries out audits of data protection compliance at controller organisations and its reports are made public on the ICO website. In a recent report a key finding under “Governance and Accountability” read:
“There is a limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of noncompliance with data protection legislation. “
Areas for improvement were identified as follows:
“The completion of an information audit/data mapping exercise would ensure that all data processors are clearly identified and create both a Record of Processing Activities and Information Asset Registers, to incorporate all business areas across the whole organisation. The exercise is key to comply with Article 30 GDPR and Section 61 DPA18 legislation and establishing the lawful basis for processing personal data/special categories of data. In addition, the IARs should be reviewed on a regular basis to ensure that the lawful basis is still appropriate.
Producing comprehensive and clear privacy notices will ensure individuals are aware why their personal data is being processed, under what lawful basis (the review of Information Asset Registers above will contribute to this) and what rights they have in relation to that processing, including the right to withdraw consent. The privacy information should be available in other languages and formats to meet the needs of all sections of society. “
The provision of privacy notices before any personal data is obtained or collected is a requirement of Articles 13 – 15 of GDPR, although the requirement predates GDPR. Under the 1995 Data Protection Directive the content of a privacy notice was specified as:
- Identity of data controller
- Purposes of the processing
- Any other information relevant in the circumstances.
Under UK GDPR there are seventeen different heads of information to be supplied in a privacy notice, hence the need for a detailed record of processing to be able to accurately provide this information in relation to all processing purposes.
A further level of complexity attaches to privacy notices, they must be appropriate to the understanding of the data subject, as the new Children’s Code demonstrates. The findings in this audit highlighted the controller’s failure to provide privacy notices in other languages and formats to “meet the needs of all sections of society”.
A clear and comprehensive record of processing is the basis of data protection compliance to meet the Accountability standard. However this record can only be created out of a thorough audit of all data processing activities to identify:
- the purpose of the processing
- the details of who the data subjects are
- what personal data is held
- how long it is held
- whether it is shared with other controllers
- whether third party processors are involved in the processing and
- the location of the data.
So a compliance programme must start with an audit of data processing activity and creation of Article 30 records. This then informs future compliance activity, for example the audit should enable the controller to assess the level of risk is its data processing activities to prioritise compliance focus. It should identify third party data processors so that compliance checks can be carried out to confirm that appropriate written contracts are in place and that due diligence checks have been carried out.
Other key aspects of a compliance framework include having appropriate and effective policies and procedures. There is a baseline list of issues to cover as an organisation such as personal data breach notification procedure, data retention policy and retention schedule, information security policy and procedure and working from home procedures. Other policies and procedures will depend on the operational activities of the controller. Policies and procedures provide guidance for staff whose job role involves handling personal data and the requirements of a call centre will differ from those of the finance team for example.
Providing guidance for staff is only part of what is required to embed a good data protection culture and demonstrate Accountability. Staff should be trained in the basics of data protection with specialist training for key job roles such as those responsible for records management, information security and managers who make data sharing and outsourcing decisions.
Meeting the Accountability standard certainly lends itself to a process, a systemic approach. At Data Protection Consulting we have adopted a compliance process which is still sufficiently flexible to meet the needs of clients from a range of operations. If your organisation needs help with data protection compliance, don’t wait for the ICO audit to highlight what needs to be done. Work with us to follow a clear road to compliance developing a data protection compliance framework that evidences GDPR Accountability for data protection.
Mandy P Webster, Data Protection Consultant