11 simple (but complete) steps towards the GDPR compliance in 2020
The General Data Protection Regulation (GDPR) is a Regulation issued by the European Union and formally came into force on 25th May, 2018. In the UK, the GDPR was implemented by the Data Protection Act of 2018, which replaced the existing UK Data Protection Act (DPA) of 1998.
What is the aim of GDPR
The aim of GDPR is to provide even stronger rights to individuals in dealing with organisations that hold their data. Personal data is defined as anything that relates to a natural person – a living human being. It will include names, identifiers, biometric data, images, and any IP/Internet related data.
There is also a new category of sensitive personal data. This includes; political, religious, Trades Union, philosophical, health and sexual aspects.
The individuals are provided with a system of rights to ensure control over their data. One of such examples can be the ‘Right to be Forgotten’ – that is, that their data, upon request can be permanently deleted.
The ‘Right to be Forgotten’ is not an absolute right, but will be allowable in many circumstances. In addition, the Data Subject – the person whose personal data is held - has the following rights:
- Enhanced right to information and transparency;
- Right of access and rectification;
- Right to object against the processing for marketing purposes;
- Right to restriction;
- Right to data portability.
Some of the larger companies have significant problems as they have added products and services over many years, using discrete and individual systems in silos to capture customer details. They may have also grown their businesses through acquisition (inheriting different systems) and this has resulted in bi-furcated views of their customers.
Hence many cannot easily obtain a ‘Single Customer View’. This is particularly the case within Financial Services.
What does an organisation need for the GDPR compliance?
The analogy I like to use is that of obtaining a driving licence. You always need to start off by first learning how to drive. The better you can drive, the easier it is to pass the test.
Equally, no amount of learning the Highway Code in itself will enable you to pass. In the same way, the more efficient you are with the handling of your data – knowing where it is, making it secure, avoiding duplication and having transparent and simple processes will greatly assist with compliance.
So what can be done to ensure compliance and accrue the business benefits in so doing? Well, there are a number of steps that can be taken right now.
The GDPR compliance roadmap:
Step One – Do I process any personal data?
First of all, you need to establish if you do in fact process any personal data. As stated, this is defined as any information relating to an identifiable natural person.
If you do not capture any of this information then you will not be affected. If you look at this closer, however, you are likely to reveal that you process personal details of your employees, customers, shareholders or any other affected individuals. Thus, avoiding the processing of personal data is rather unlikely.
Step Two – Are we the Controller of Processor – or both
The second step is to decide if you are acting as Controller or Processor.
This is of particular concern if you are sending data outside of the EU for processing, see below. Outsourcing of the payroll to the accountants is another example.
The controller is the organisation that determines the purposes and means of processing personal data and the processor is responsible for processing personal data on behalf of the former.
The example of the controller can be a website owner that collects data through a contact form, whereas the processor will be a CRM provider, whose CRM is connected for handling the contact details.
Step Three – Undertake an Audit
The third step is to undertake an audit of all personal data held. This can be achieved by the completion of a Data Inventory that details both the processing and the storage of data.
You will need to produce a matrix of who does what to which data, why and how and at which frequency. The use of Data Mapping, a technique to understand and document the flows of data within and without the organisation is essential.
Step Four – Is any processing outside of the EU?
You will also need to ascertain whether any data is processed on your behalf outside of the EU – by a processor, on your behalf. If so, you will need to look at the contracts and ensure that the processes and procedures are GDPR compliant.
Step Five – Produce a Gap Analysis
From the Data Inventory and with a full understanding of what personal data is held, the fifth step is to produce Gap and Risk Analysis. This will establish what needs to be done and help with prioritisation by factoring in the risk.
Step Six – Education, Training and Communications
The sixth step is to ensure that your staff are educated about the GDPR. The Regulation is all about putting data protection awareness at the centre of an organisation. There is plenty of material on the web, especially that published by the ICO (a UK’s data protection authority).
Step Seven – Handling Requests from Data Subjects
The seventh step is to make sure that you are aware of and ready to comply with the data subject rights as described above. These are to have in place a process to handle Subject Access Requests or any other interaction with regard to personal data.
Step Eight – Anonymisation and Pseudonymisation of data
The eight step is to see if you can anonymise or pseudonymise the persona data to reduce the risk of a data loss. Anonymisation is the most secure. This involves storing data into a form that does not identify individuals.
Pseudonymisation is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. This greatly reduces the risk of data loss or exposure.
Step Nine – Implement the appropriate governance
The Ninth Step is to put in place the right governance. The data governance must ensure that the work that you have undertaken to achieve compliance is maintained and that future proposed changes include Data Protection by Design and Data and Protection Impact Assessments to account for and assess the risk to personal data.
Step Ten – Ongoing audits
Finally, ensure that you undertake audits to provide evidence that you are maintaining vigilance, take into account the decisions that will be published by the ICO on the subject and look at their Guidance Notice.
Also, investigate some of the software that already exists and is being developed to help you with granular level GDPR data identification. All of this will provide evidence that you are putting the Data Subject’s rights at the top of your priorities.
Step Eleven – A Risk-based Approach
At all times think about the exercise from a risk perspective. This will help to utilise resources most effectively, especially as these will tend to be limited.
In conclusion, GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies accrue but being able to state with confidence that you are GDPR compliant will give you an edge over your competitors.
Hayes Associates Limited has been providing consultancy in Business Process Analysis, Project Management, Information Management & Governance, Data Protection and latterly GDPR to SMEs and international organisations since 1988. We have developed an effective and efficient approach to ensuring compliance.
Disclaimer: information in this article is provided for informational purposes only. You should not construe any such information as legal, business, tax, investment, trading, financial, or other advice.
BA Hons, FBCS, CITP, FIP, CIPM, CIPP/E, MAPM
Need a lawyer in this area?
9 years in information management and data protection