We find it easier to get our heads around GDPR if we split it into three parts:
1 GDPR demands a new approach to data protection compliance, requiring a risk management approach and introducing the new principle of Accountability.
2 The data subject is placed firmly at the centre of GDPR, benefiting from new and enhanced rights. Companies are obliged to provide data subjects with additional information about personal data processing activity. The standard for consent is higher and there are special rules for processing children’s data.
3 Standards of security required are more rigorous in respect of breach reporting and controls around outsourcing. Non-compliance is punishable by even greater penalties. Indeed, under GDPR, fines can be levied for up to twenty million euros or four per cent of annual global turnover, with additional powers for the Regulator such as audit rights.
Part one – Managing data protection risk and Accountability
New record keeping requirements
The Information Commissioner asks that if you do not know what personal data you process, then how can you be sure that you are complying with data protection requirements?
As a first step identify what personal datasets your organisation processes, for example marketing information, HR and Payroll files, customer accounts information, health and safety record.
Specify each business owner and record details of why the processing takes place, what data is involved and who the subjects as well as compliance attributes such as how long the dataset is held, the conditions for fair processing that is being met, whether the processing is outsourced or the data is sent outside of the European Economic Area (EU Member States, Iceland, Norway and Lichtenstein).
The requirement for enhanced recordkeeping under Article 30 of GDPR will begin to be met.
The Principle of Accountability in GDPR means that organisations must be able to demonstrate their compliance with data protection legislation.
The second step is to identify, for each dataset, the level of risk associated with each process. This includes simply storing data.
To meet the new GDPR Principle of Accountability, document the risk assessments. Where risks are identified, take steps to manage them and document activities carried out to avoid or mitigate the risks to ensure that you meet the Accountability criteria.
For some organisations the role of Data Protection Officer is mandatory with duties defined in GDPR.
Accountability reaches its ultimate expression in the new requirement to designate a DPO in certain circumstances. This individual is responsible for communicating compliance issues to the board or senior management and to the ICO when issues get out of hand.
The role and its duties are defined in GDPR and there are guidelines as to who should carry out the role in order to minimise DPO conflict of interest. For some companies, such a conflict of interest is impossible to avoid. In these cases, an external data protection consultancy may be employed to carry out the role as an outsourced service or at least to act as a mentor to the DPO ensuring that decisions are unbiased and objective, and that their position has not been subject to undue pressure from elsewhere in the business.
Visit the ICO website to see if your organisation meets the criteria for requiring a DPO. If you are still unsure whether or not you need one, a data protection consultant could help you decide.
DPIA risk assessments are now mandatory for higher risk processing and help to meet Privacy by Design principles
Data Protection Impact Assessments (DPIAs) should be used to identify inherent risks in new projects, developments and initiatives. Under GDPR, DPIAs are mandatory. By demonstrating that DPIAs have been carried out prior to introducing new processes, an organisation can defend its position in the event of a breach of GDPR, and lower the level of any resulting fines.
This is the outline of a risk management framework.
Mandy Webster, Data Protection Consultant