Paul Cummins, head of Legal at Milton Keynes Council and a member of the In-House Division committee, offers a practical, nine-step guide to implementing the General Data Protection Regulation in your organisation.
There is now less than a year to go before the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. The GDPR has been held up as a game-changer in the regulation of personal data in a world where data is increasingly seen as the ‘new oil’.
General counsel (GC) and other in-house lawyers are likely to be involved in advising their organisations on the implications and implementation of the GDPR. In some cases, the GC will already be identified by the board as the ideal person to fulfil the role of data protection officer (DPO).
There is now plenty of information available on the main changes to data protection law as a result of the GDPR, so this article seeks to focus instead on some of the practical considerations. A knowledge of the main changes are assumed. Below are nine practical steps for those in-house lawyers involved in implementing the GDPR in their organisations.
Don’t panic (yet)!
Those organisations that have good processes and procedures for dealing with personal data will be in a good position to implement the changes necessary. Those organisations that currently have weak processes should see the GDPR as an opportunity to put proper and GDPR-compliant processes into place. There is still time for organisations to get ready for the GDPR but, depending on the complexity of the organisation and the personal data it holds, it could take time to write procedures and implement the necessary technical processes. Time is running out!
Think of GDPR implementation as a project
There is a known end date, i.e. 25 May 2018, and a set of known responsibilities which will need to be in place by then. Implementation of the GDPR therefore lends itself well to a project management approach. Draw up a project plan with timescales for achievement of the necessary milestones. To do this, you will need to understand what has to be implemented. Consider:
- What resources are needed to ensure new policies, procedures and processes are ready in time? Who is going to write them?
- Do you have a project sponsor at board level?
- Will implementation involve a cross-departmental team?
- How will staff training be undertaken across the organisation?
Make use of guidance
There is now a plethora of guidance available on the new rights and obligations under the GDPR. The Information Commissioner’s Office (ICO) website remains the best general resource for organisations and is regularly updated. As the ICO will remain the national regulator under the GDPR, it is crucial to understand its interpretation of and priorities for the legislation. Also, look out for any specific sector or industry guidance or guidance from professional bodies which may have bespoke advice, draft procedures and processes which your organisation can use.
Get board and senior management support
If you are directly responsible, or advising those responsible, for GDPR implementation, it is important to be supported from the top. You may have taken a paper or briefing note to the board already, but if not, it may be a way of getting board buy-in. The new level of fines under the GDPR should strengthen the board’s efforts in supporting the additional resource and sharpen organisational focus, which will be needed to implement the GDPR.
A board champion / project sponsor for the GDPR to give organisational leadership on implementation would also help on a practical basis. So, is your champion going to be the GC, finance director, CEO, or someone else? The risk of a data breach may be on corporate risk registers already, but if not, it certainly should be under the GDPR.
Carry out a data protection audit
Before implementing GDPR-compliant changes, it is necessary to understand what is currently in place in the organisation. Consider:
- What are the data protection policies that are currently in place?
- Are those policies published on the internet?
- Are staff aware of policies within key divisions and across the organisation generally?
- What are the current processes for activities such as breach notification, which will have critical significance under the GDPR?
- Are staff currently trained across the organisation, and is that training as effective as it could be?
Survey of personal data held by the organisation
There is a need to fully understand what personal data is held by the organisation, and how it is held.
Establish all the different pieces of software in which personal data is held: for example, human resources systems, customer databases etc. Then, establish the type of personal data that is held. Is sensitive personal data held? It is necessary to build up an accurate picture of what personal data is held by the organisation before embarking on a process of implementing compliant procedures and processes for dealing with that data. This will also enable an assessment of risk in respect of the data held by different organisational divisions – for example, is personal data currently transferred out of the organisation and/or EU?
You also need to understand the IT strategy of the organisation by speaking with the IT manager. What new IT systems are planned: for example, is there a strategy of cloud-based software? Further, understand what sort of personal data is likely to be held in the future in the business – if there are plans to expand into new markets, this could mean new customer bases.
The accountability principle
It is important to grasp the new accountability principle, as this will underpin many of the procedures and processes that must be in place to comply with the GDPR. Article 5(2) states that the data controller should be able to demonstrate compliance. This means organisations will need to document compliance, including the processing activities which they are undertaking. The accountancy principle therefore needs to be built into the procedures and processes that are devised.
Decide on the DPO
There is a mandatory requirement for public authorities and those organisations ‘whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences’ to have a DPO.
Many organisations will have a DPO already, often the GC or head of Legal. You will need to decide how to allocate the DPO role going forward, and whether the GC is indeed the most appropriate person. If the DPO role is allocated to an existing employee, or outsourced, it is going to be imperative for that person to have a role in implementation, so decide who that is going to be as soon as possible.
Procedures and processes
Even the organisations which currently have effective procedures and processes for personal data will need to make changes so they are GDPR-compliant. An early assessment of the work involved will need to be undertaken and a decision made to allocate that work. Thought will be needed to ensure procedures and processes properly document compliance, in particular the need to have an audit trail for the lawful basis for processing personal data.
One area where it is critical that there are effective procedures in place is in respect of breach notification. The ICO must be notified within 72 hours of a breach, and a failure to notify could result in a fine up to €20 million or four per cent of global turnover.
The GDPR creates some new data protection rights for individuals: the right to be forgotten, right to restriction of processing and the right to data portability. Workable and compliant processes will need to be established in respect of these new rights. Consider:
- The requirement to provide fair processing information, for example, through a privacy notice
- GDPR removes the £10 subject access fee, which is likely to lead to an increase in subject access requests. At the same time, there will be less time to comply, as information is to be provided without delay and within one month. Are there more effective processes in which information can be provided by the organisation, for example, remote access via a secure self-service system?
- Are the technical processes going to enable efficient rectification or erasure of personal data?
- Are there competent systems to allow data portability?
Implementation of the GDPR is going to be a significant, but not impossible, challenge for those involved. Good luck!