In the second of a series of four articles, marketing expert Charlotte Graham-Cumming, director of Varia Solutions, explains the implications of new General Data Protection Regulations (GDPR) due to come into force on May 25
While the General Data Protection Regulation, or GDPR, itself is quite complex – 88 pages, I believe – and all the clauses interlink and cross-reference, there is a sensible way to structure a project so that you leave no stone unturned.
We call it the ‘12, 8 and 6’ method and that makes it easier to remember. There are 12 areas in your business to look at, there are eight data protection principles that need to inform the decisions you make, and six bases for lawfully processing data.
In this article, we will concentrate on those 12 crucial data categories.
Using this list of 12, the best place to start is to create a Risk Assessment document, where you examine each area and determine your level of risk.
The data dozen
- Information you hold
What personal information do you hold? Where is it? How secure is it? How is it processed? Do you process sensitive personal information? If so, you’ve got more stringent regulations to be aware of.
- Communicating privacy information
- Individual’s rights
Make sure you’re familiar with the individual rights, so that you comply. This includes processing data lawfully and fairly, as well as things such as the right to correct incorrect information.
- Subject access requests (SAR)
How easy would it be for you to comply with an SAR within 30 days, as required by the new laws? What data could and couldn’t you provide? Who should be the contact for this? Is that clearly stated somewhere obvious? Do your staff know what to do in the event of such a request?
- Lawful basis for processing data
There are six lawful bases that you can use to process data. For each piece of data you collect, you need to document how it’s managed and determine what your lawful basis is.
Consent, one of the six lawful bases, is a big focus within the legislation. We’ll cover this more in the next article, but you need to make sure you have consent, where legally required.
- Children’s data
If you handle data relating to children, the requirements around consent, for example, are more stringent. You also have greater obligation in terms of maintaining privacy.
- Data breaches
You need to define what you consider a breach, and flag when a breach becomes reportable. You have to make sure, if a reportable breach occurs, that you are capable of informing the Information Commissioner’s Office (ICO) within the required 72 hours. You will also have to inform the data subjects if they are likely to be compromised by the breach.
- Data protection by design
The eight principles should be used as a check list for every process that manages personal data. Personally, I believe that following this process will make compliance with GDPR a natural part of doing business, as opposed to a check-box exercise.
- Data Protection Officers (DPO)
Not all organisations are required to have a DPO, so you’ll need to check if you should have one. It’s a good idea to have an informal DPO, even if you aren’t required to, so that one person keeps control of compliance.
If you have locations in multiple countries, you need to pick a leading country, typically where your head office is located. Also, GDPR applies to personal data on any EU citizen, regardless of where it is in the world, so you need to be aware of that, too.