As we enter 2020 and a new decade we introduce a monthly series by Dave Farrelly from DF Consulting on practical GDPR compliance for your business.
GDPR came into effect on 25 May 2018 and it is still apparent that a lot of small to medium size businesses have done little to achieve compliance in this hugely important area. Unlike the ‘Millennium Bug’ GDPR is not going away and as we get closer to the second anniversary of the legislation greater fines and penalties are being imposed by Supervisory Authorities across the European Economic Area.
So what basics do you need to know about GDPR and what can your business be doing to demonstrate compliance? If your business is processing personal data, including that of employees, it needs to be taking some precaution in relation to the new data protection legislation.
As a business, you are required to demonstrate compliance in all 7 data management principles of the GDPR as well as be in a position to show pro-actively that compliance is being implemented.
In this month’s article we take you on a whistle stop tour of the seven data management principles and seven key areas where your business can demonstrate pro-active compliance.
The 7 Data Management Principles explained
1. Fair, Transparent and Lawful Processing of Personal Data
If your business is procesing personal data you must give data subjects ‘fair processing notice’ of the acquisition of the personal data, what the personal data will be used for (the purpose) as well as the legal basis for processing the personal data. There are six ‘lawful processing conditions’ for the processing of ‘Ordinary’ personal data and 10 ‘lawful procesing conditions’ for the processing of ‘Special Categories’ (previously sensitive) personal data. Think about all of the different personal data that your business is capturing, for example a CCTV camera notice; have you given data subjects fair notice in a fully transparent way of what you are doing with their personal data
2. Purpose Limitation
Simply put, only use personal data that you acquire for the purpose of what was communicated in the ‘fair processing notice’. If you are using email addresses for the purpose of service messages to your customers you cannot use the same e-mail address for marketing or promotional purposes, unless of course you have the consent from the data subject to do so. ‘Consent’ being the ‘lawful processing condition’ or ‘legal basis’ for the processing of the email addresses.
3. Minimisation of Processing
Only ask for personal data that you need, no more no less. Your business needs to challenge the personal data it is requesting from data subjects. Previously you may have requested telephone numbers and e-mail addresses for communication purposes with customers. Do you really need both?
4. Data Quality & Accuracy
An area where a lot of businesses fall down is the ability to show that the personal data being processed is of the highest quality and accuracy. How is your business ensuring that this is the case? A lot of businesses are now introducing an annual ‘Data Quality’ audit where they review the quality and accuracy of personal data in a formal manner.
5. Storage Limitation & Retention
Another area where a lot of businesses fall down. As a business how long are keeping personal data for? Does your business have an agreed ‘Data Retention Policy’ for all the different types of personal data being processed? When was the last time your business deleted or destroyed personal data?
6. Security & Confidentilty
How secure is your business infrastructure from a security and confidentiality perspective? Not only should IT security be considered but also physical security such as access to areas where personal data is being stored e.g. your employee personnel files.
7. Accountability & Liability
How is your business demonstrating compliance across all of the seven data management principles. In the event of a spot check, data breach or data subject complaint investigation by the Data Protection Commissioner can your business confidently display full GDPR compliance?
Where to start with GDPR compliance …
There are a number of key areas where your business can demonstrate practical GDPR compliance.
- Risk Assessment – conduct a risk assessment across your entire business on the processing of personal data; implement a plan to address risks identified, particularly those that score ‘high’ and ‘medium’.
- Data Protection Impact Assessment (DPIA) – be aware of this new requirement under GDPR; particularly when implementing new systems or projects where personal data is being processed for the first time or a significant change in processing is being proposed.
- Maintain a ‘Data Processing Activity Log’ – a global inventory of all personal data being processed by your business, to include key information such as the purpose of processing, the legal basis for same and how long you will keep the personal data for.
- Maintain a ‘Data Breach Log’ – in the event of a data breach for your business; key information must be captured such as what caused the breach, the data subjects impacted and the measures being implemented to avoid a similar situation in the future. Remember the 72-hour period by which you must notify the Data Protection Commissioner of a data breach.
- Policies & Procedures – ensure all key policies and procedures are in place such as ‘Data Breach’ and ‘Subject Access Request’ policies
- Training & Awareness – your busines cannot underestimate the importance and impact of having all of your team members briefed and refreshed on GDPR and what it means for your business.
- Data Processor Landscape – a Data Processor is an external organisation or system processing personal data on your behalf and on your instuction; maintain a full view of these organisations and systems and ensure to have the relevant ‘Data Processor Agreements’ in place.
Dave Farrelly is a seasoned GDPR consultant offering businesses practical guidance, training and solutions to GDPR compliance. You can see more details on what Dave and his associates can support your business with at http://www.dfconsulting.ie/. Dave can be contacted directly at firstname.lastname@example.org.
Published: 17 January, 2020