Guide To Achieve Baseline GDPR Compliance
Its 2020 and if you are still struggling to meet GDPR compliance and with the threat of severe penalties in place for those whose failure to comply puts individuals personal data at risk, there really is no time like the present to start taking action. At Relentless we do not judge there are companies out there without little or any compliance for the GDPR. We do not try to scaremonger organisations into action but provide good strong advice.
Yet with a seemingly never-ending task list to complete, how do you know which aspects of GDPR to take care of first, let alone which steps you can take to make the biggest difference to your compliance strategy efforts? Of course, you could begin by wading through page after page of extensive GDPR documentation, but let’s face it: Even if you did have the patience and perseverance for such an undertaking, you simply don’t have the time. Fortunately, there is an easier way:
Follow Our Four-Step Guide to Baseline GDPR Compliance
Relentless Privacy & Compliance work with scores of businesses across the UK, and International empowering them with the tools, services and strategies they need to ensure frictionless compliance with current regulations. Combining our experience with the latest insights into GDPR best practice, we’ve put together this handy guide, helping your business make a smooth move towards compliance with four steps you can start implementing today.
Step 1: Create Records of Processing Activities
Article 30 of GDPR compliance states that both data controllers and data processors must keep records of their processing activities. Despite some Article 30 requirements applying to both controllers and processes, each one is obligated to follow its own different set of rules about what -and how- to record. With that in mind, your first task should be to determine whether you’re classed as a controller or processor. The good news is that this is pretty straight-forward.
How To Tell if You’re A Data Controller or Data Processor:
In the most basic level, this comes down to whether or not you’re in charge of the “what, why, and how and where” of your data collection.
The data controller determines the purposes for which and the manner in which personal data is processed. It can do this
either on its own or jointly or in common with other organisations. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity
A data processor is a person who processes data on behalf of a data controller. A data controller decides the purpose and manner to be followed to process the data, while data processors hold and process data, but do not have any responsibility or control over that data.
Article 30 Requirements for Both Controllers and processors
Regardless as to whether you control or process data, you’re required to record:
- Your company details. If you have appointed a Data Protection Officer (DPO) then this will also include their contact details.
- Your representative in the European Union (EU) if your primary business is headquartered outside of the EU.
- A general description of both technical and organisational data security measures you’ve implemented. This includes everything from encryption and anti-ransomware to limiting access only to those who need the data.
- In cases where you’re transferring data outside of the EU, where that data is going and what measures are in place to protect it.
GDPR Articles 44 to 50 are primarily concerned with transferring data internationally, so it’s worth checking up on those -or talking to your GDPR compliance consultant– if this applies to you.
Article 30 Requirements for Controllers
If you’re a controller, you’ll need to record the types of people and the types of data that you’ll be processing. In a commercial business, for example, you might record that you record customer information includes bank details, email address and physical address, as well as information about your employees, including their bank details, tax information, next of kin and health records. You’ll also need to record:
- The types of people who will have access to your data
- The length of time you intend on keeping each category of data.
Article 30 Requirements for Processors
As a processor, you need to record:
- The types of processing you carry out, whether that’s collection. There are a vast number of processing types which you can read about on the Information Commissioner’s Office (ICO) website.
- The name and contact details of the controller on whose behalf you process data.
- Details of that controller’s DPO and EU representative where applicable.
- If you work on behalf of multiple controllers, you’ll need to record these details for each one.
Step 2: Determine Your Lawful Basis For Processing Personal Data
Ready for some more good news?
The remaining three steps towards frictionless compliance with GDPR aren’t nearly as intense as Step 1. Next, for example, you simply need to follow Article 6, which states that in order to process personal data, you need to have a valid lawful basis to do so. In other words, that processing is necessary to achieve a specific purpose.
GDPR outlines six lawful bases, which are:
An individual gives their explicit consent for you to process their data for a specific purpose.
Processing is necessary in order to carry out the terms of a contract you have with the individual.
The ICO also states that this basis can be used if the individual has “asked you to take specific steps before entering into a contract.”
If processing is required in order to ensure you’re compliant with the law.
Processing is required in order to protect an individual’s life.
this applies if processing is necessary in order to carry out a task that is in the public interest or an official function of your organisation. Those tasks and functions must have a clear basis in law.
The ICO tells us that this applies when “processing is necessary for your legitimate interests, or in the legitimate interests of a third party.” This, however, can be overruled if there is a good reason to protect a person’s personal data.
Step 3: Identify a Lawful basis for Processing Special Category Data
Special category data is personal data which GDPR classes as being more sensitive than other types of data, thus requires much protection. This includes things like race, religion, ethnicity, genetic and biometric data, among other things. In order to process this kind of data, you’ll not only need a lawful basis from the aforementioned Article 6, but you’ll also need to meet a specific condition set out by Article 9.
The ICO has a full list of the 11 Article 9 conditions, some of which (explicit consent, vital interests, and legitimate interests) are similar to the lawful basis of Article 6. That said, it is important to note that you don’t necessarily have to use the same basis for each. In other words, if you use explicit consent under Article 6, you do not have to use explicit consent under Article 9, though you can, of course, choose to do this if it is the most appropriate solution.
Step 4: Ensure Adequate and Appropriate Data Security and Privacy measures are in Place
Our fourth and final step involves following the guidance of Article 25 and Article 32, both of which concern themselves with integrating data protection into the very heart of your organisation and taking a “privacy first” approach to new policies, initiatives and endeavours.
Article 25 requires what it calls “data privacy by design and default.”
This his means that both technical and organisational data security measures are implemented across the board, into every aspect of your business’ products, services and processes. It also means ensuring that you only collect, store, and process data which is absolutely necessary and that this data is only made available to people for whom access is also absolutely necessary. Meanwhile,
Article 32 mandates
That those technical and organisational measures are adequate and appropriate for the level of risk involved in the data processing you carry out. At a technical level, this includes encrypting personal data, using a process known as Pseudonymization and creating adequate data backup and disaster recovery strategies. Organisationally, this may involve staff training, updating policies, and managing data access among individuals.
Unsure if the technical and organisational data security measures you have in place are enough to meet GDPR requirements? Need further advice on lawful basis or hands-on support with data processing records?
Relentless Privacy & Compliance Services tailor deliver bespoke GDPR solutions designed to guarantee frictionless compliance right across the board. Contact us online today to arrange your free consultation, or to find out more about how we can help, call now on +44 1215820192.