Last May (2018) we saw the biggest data protection legislation update in 20 years with the arrival of the GDPR and subsequent Data Protection Act 2018. For the most part, this simply built on the groundwork that was already there but did amend and introduce concepts to take into consideration the new ways in which the EU (and UK) processes personal data.
So what lessons have we learned in the last 18 months? To be perfectly honest, lots. Unfortunately, we cannot cover every lesson that we have learned and so we thought we would consolidate this article into the basic ‘must-haves’.
The main driving force behind the GDPR was to force organisations to have accountability for their data processing. In part this meant that organisations ensure they have data privacy and security by design and default. This means that from the outset, organisations implement appropriate technical and organisational measures to safeguard personal data when processing it and that it is only processed, stored, accessed etc for the purposes for which it was gathered.
The data protection principles and data audit
To ensure that you have accountability, you’re going to need to do two things, and for the purposes of this article, we’ve condensed them into one:-
1. Understand the data protection principles (which underpin the GDPR); and
2. Conduct a data audit.
By conducting a data audit, you can check that your organisation is compliant with the data protection principles. Below, we have set out the data protection principles, along with a non-exhaustive list of questions for your audit:-
• Fair, lawful and transparent processing of information
• Do we have a legitimate basis for processing the personal data?
• Do we inform employees (or other third parties) of how we will process their personal data?
• Purpose limitation
• Why do we need the personal data?
• Do we ensure that the personal data is only processed for the specific purposes for which it was obtained?
• Data minimisation
• What information do we actually need?
• Can we delete personal data that is unnecessary?
• How do we ensure that the personal data we hold is accurate and up to date?
• Is inaccurate personal data being deleted?
• Storage limitation
• Once we no longer have a legitimate reason to process it, do we delete the personal data?
• How long should/do we keep personal data for?
• Integrity and confidentiality
• What security measures are in place?
• Do those security measures ensure that only those who need access to the personal data have access?
• Do we have processes in place to ensure we are data protection compliant?
• Who is responsible for our data protection? For example, a Data Protection Officer.
Once you have your data audit completed, you will be well on your way to identifying gaps in any data protection and so can ensure that you strive for compliance.
Data protection is a daunting task but it is not insurmountable and below we have set out some handy tips to help you on your way to compliance:-
• Ensure that you have a lawful basis for processing personal data (remember that these are consent, contract, legal obligation, legitimate interest and vital interest). Remember that consent does not work for processing of employee personal data by an employer.
• Ensure that you have appropriate documentation in place, such as:-
• A data protection policy / privacy standard (that covers, amongst other things, the rights that individuals have, including inform, access, rectifying, erasure, portability, restriction or processing, auto-decision making and objection to marketing);
• A staff privacy notice;
• Appropriate clauses within the contract of employment;
• Appropriate clauses within any recruitment, benefit or other policy documentation;
• Having a detailed plan/procedure or guidelines to deal with subject access requests, retention and destruction of personal data, data breaches (remembering you have 72 hours to inform the Information Commissioner's Office (ICO) and may have to also inform the individual);
• Appropriate clauses within contracts with third parties; and
• Inform, train and test your staff on the data protection legislation and your own organisations’ policies and procedures. For example, seek out a firm that could carry out a phishing email test.
Data protection is an on-going issue and something we must all take seriously. By ensuring your staff are trained and have the tools with which to tackle data protection, you are considerably reducing any risk of a data protection breach and potential investigation (or fine!) by the IICO.
Our final point is that emails are really, really effective and useful. They can also be such a pain. There have been so many times that we have seen emails used inappropriately by being sent to the wrong person with personal data or held onto long after their use or purpose has expired which could/has caused a data protection issue. In all of these cases, it is usually an accident and so we stress to you ‘if you don’t need it, delete it’.