What are the next steps to take to ensure GDPR readiness?

     

    Feature I | Feature II | Cases | FYI


    Feature I

    Your step by step project plan to GDPR readiness

    Allison Wooddisse, Head of In-House and Compliance, LexisNexis, considers what is on the horizon in relation to data protection and the GDPR for 2018 and what should be top of your to-do list right now on your journey to GDPR readiness.

    Data protection. What happened in 2017? It's probably easier to say what hasn't happened.

    At the time of writing, we still haven't had final guidance from the Information Commissioner's Office (ICO) on consent under the General Data Protection Regulation, Regulation (EU) 2016/679. Nor have we had detailed guidance on the scope of legitimate interests, direct marketing under the GDPR, and lawful processing. There’s also great uncertainty about whether the ePrivacy Regulation (currently in draft form) will be finalised and in force to coincide with implementation of the GDPR.

    What are the practical implications?

    It’s extremely difficult for organisations to draft their privacy notices and policies in readiness for the GDPR. This is because privacy notices and policies must state the lawful ground on which data is processed.

    Many organisations will wish to move away from consent as the default ground for processing personal data, because the GDPR raises the bar for the standard of consent. ‘Legitimate interest’ is an attractive alternative ground for processing, but the only available detailed guidance predates the GDPR.

    Key steps to action now.

    The good news is, there are practical steps you can take today to be ahead of the game.

    Before preparing a privacy notice or policy it is critical that you comprehensively identify what data you process, why and how.

    Armed with this information, you can then form a preliminary view on the most appropriate ground for each processing activity, including legitimate interests and consent. Then, and only then, can you draft your privacy notices and policies. Helpful tools to consider include a Sample data processing map and Data and information register.

    What’s on the horizon?

    As we are all aware, the GDPR will become directly applicable and enforceable in the UK from 25 May 2018. The Data Protection Bill is currently before Parliament and is expected to receive Royal Assent shortly in the New Year. We also have our fingers crossed for detailed guidance from the ICO or EU on lawful grounds for processing, legitimate interests, consent and direct marketing. But time is pressing on and organisations cannot wait for the regulators to tell them what to do.

    The GDPR represents the biggest overhaul in data protection law for two decades. As the deadline approaches, organisations must continue to review their internal procedures and arrangements with data subjects, suppliers and other third parties to ensure they comply with the obligations under the new regime.

    Get ahead of the game

    Top of your to-do list right now is:

    • Data mapping—find out whose data are you processing, why and how
    • Making a start on legitimate interests assessments—this can’t wait for detailed ICO guidance and there is enough information in the GDPR itself and pre-GDPR guidance to get ahead of the game.

      Here, useful tools include a legitimate interest assessment to determine whether you have a legitimate interest in processing data under the General Data Protection Regulation (GDPR) and, if so, whether that legitimate interest is overridden by the rights and interests of the data subjects whose data you propose to process.
    • Overhauling your preference centre, or deciding whether to set up a preference centre if you don’t already have one.
    In the latter case, consider a preference centre supplier questionnaire to help you establish quicker and more effectively whether an externally supplied or maintained preference centre complies with the requirements of the General Data Protection Regulation, particularly around consent for marketing communications.

    Back to top

    Feature II

    Sample data processing map

    1. Identify and document why the organisation processes personal data

      Rather than starting by trawling the organisation for personal data, think about what your organisation does that may involve processing personal data.
      Identifying the reasons for or purposes of processing data is often fairly straightforward. Drawing a diagram or visual map can help the thought process. A sample is shown below:

    1. Document the various activities that take place to achieve each purpose of processing

      Again, it can be helpful to draw out a diagram or visual map, as illustrated below, using the ‘staff administration’ purpose identified at stage 1.

    1. Identify key stakeholders that have information on the processing activities involved in each purpose for processing

      The table below uses the ‘staff administration’ purpose identified at stage 1.

    Activities that take place to achieve the staff administration purpose

    Key stakeholders for that activity

    Recruitment

    Talent development team
    Departmental Recruitment Business Partners
    Recruiting managers
    All interviewers
    Receptionists

    Payroll

    [insert stakeholders for payroll]

    Performance reviews/appraisals

    [insert stakeholders]

    Providing benefits

    [insert stakeholders]

    Recording attendance/leave

    [insert stakeholders]

    Work-related correspondence

    [insert stakeholders]


    You will need to complete a similar exercise for each data processing purpose identified at stage 1.

    1. Identify the categories of data subjects for each purpose of processing

      For each purpose of processing (from stage 1) you should work with relevant key stakeholders (from stage 3) to identify the categories of data subjects.

    Purpose of processing

    Categories of data subjects for that purpose

    Staff administration

    Job candidates
    Current staff/contractors
    Former staff/contractors
    Emergency contacts/relatives
    Contacts at suppliers/third party benefit providers
    [insert next]

    [Client OR Customer] administration

    [insert categories of data subjects for [Client OR Customer] administration purpose ]

    Meet legal obligations

    [insert categories of data subjects for this purpose]

    Provide goods or services to individuals

    [insert categories of data subjects for this purpose]

    Improve products/services/processes

    [insert categories of data subjects for this purpose]

    Improve safety and security

    [insert categories of data subjects for this purpose]

    Increase business (eg direct marketing and profiling or behavioural advertising)

    [insert categories of data subjects for this purpose]


    1. Identify the categories and sub-categories of personal data that are processed

      Work with relevant information gatekeepers to document the categories and sub-categories of personal data processed for each of:
      —the purposes of processing identified (from stage 1)
      —the categories of data subjects (from stage 4)
      This may work better as a spreadsheet, with a different tab for each purpose of processing. See: Data map spreadsheet—Excel version.

    Purpose of processing

    Categories of data subjects

    Categories and sub-categories of personal data processed for each category of data subject

    Staff administration

    Job candidates
    Current staff/contractors
    Former staff/contractors
    Emergency contact/relatives
    Contacts at suppliers/third party benefit providers

    Personal data processed in relation to job candidates, including:
    —names
    —contact details
    —telephone numbers
    —email addresses
    —employment history
    Sensitive personal data processed in relation to job candidates, including:
    —information about disabilities
    —medical records or data
    [Insert categories and sub-categories of personal data processed for current staff/contractors]
    [Insert categories and sub-categories of personal data processed for former staff/contractors]
    [Insert categories and sub-categories of personal data processed for emergency contact/relatives]
    [Insert categories and sub-categories of personal data processed for contacts at suppliers/third party benefit providers]

    [Client OR Customer] administration

    [Insert categories of data subjects identified at stage 4]

    [Insert categories and sub-categories of personal data processed for each category of data subject]

    Meet legal obligations

    [Insert categories of data subjects identified at stage 4]

    [Insert categories and sub-categories of personal data processed for each category of data subject]

    Provide goods or services to individuals

    [Insert categories of data subjects identified at stage 4]

    [Insert categories and sub-categories of personal data processed for each category of data subject]

    Improve products/services/processes

    [Insert categories of data subjects identified at stage 4]

    [Insert categories and sub-categories of personal data processed for each category of data subject]

    Improve safety and security

    [Insert categories of data subjects identified at stage 4]

    [Insert categories and sub-categories of personal data processed for each category of data subject]

    Increase business (eg direct marketing and profiling or behavioural advertising)

    [Insert categories of data subjects identified at stage 4]

    [Insert categories and sub-categories of personal data processed for each category of data subject]


    Back to top

    Cases

    Tribunal reduces penalty for data protection breach (Basildon Borough Council v Information Commissioner)

    Basildon Borough Council’s appeal against a monetary penalty notice issued by the Information Commissioner following a data protection breach was partly allowed, with the monetary value of the penalty being reduced by 50% due to mitigating circumstances in Basildon Borough Council v Information Commissioner EA/2017/0124. See News Analysis: Tribunal reduces penalty for data protection breach (Basildon Borough Council v Information Commissioner).

    Back to top

    FYI

    NHS Digital must suspend ‘haphazard’ immigration offender data sharing agreement

    The Health Committee has requested that NHS Digital immediately suspend a memorandum of understanding (MoU) between NHS Digital, the Home Office and the Department of Health on processing information requests from the Home Office to NHS Digital for tracing immigration offenders. Having found that NHS Digital has not ‘fully considered and appropriately taken account of the public interest in maintaining a confidential medical service’, the Committee has requested that it undertakes ‘a further and more thorough review of the public interest test’. See: LNB News 31/01/2018 147.

    Examining the Article 29 Working Party guidelines on GDPR consent

    The Article 29 Working Party has published new guidelines for obtaining and demonstrating valid consent under the General Data Protection Regulation (EU) 2016/679 (GDPR). Atiq Bhagwan, associate at DMH Stallard LLP, puts the guidance under the microscope. See News Analysis: Examining the Article 29 Working Party guidelines on GDPR consent.

    Updating the FOI code of practice—examining the government consultation

    Discussing the government consultation on an updated freedom of information code of practice, James McGachie, a legal director in the data privacy team at DLA Piper, says the proposed developments continue the trend towards proactive transparency and open government. See News Analysis: Updating the FOI code of practice—examining the government consultation.

    Back to top

        Free 1 Week Trial








        We may terminate this trial at any time or decide not to give a trial, for any reason. See our full terms here.

        LexisNexis take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us. We will not share your personal information with any third parties. Your data will be used by our Customer Services Team to activate your free trial.

        By submitting your details, you are agreeing to our Terms and Conditions and Privacy Policy.

        However from time to time we would like to contact you with details of other relevant legal products and services we provide. If you DO NOT wish to be kept informed by:


        of other LexisNexis products and services, please tick the relevant boxes.