The GDPR—preparing for implementation
What should organisations be doing to prepare for the implementation of the EU’s General Data Protection Regulation (GDPR)? As part of a series of articles to mark Data Privacy Day, Andrew Dyson partner and James Clark, associate, at DLA Piper, advise on how to prepare for the GDPR which will become directly applicable and enforceable from 25 May 2018.
The GDPR to introduce major changes to data protection law in 10 months’ time.
The EU adopted the General Data Protection Regulation, Regulation (EU) 2016/679, in April 2016 and it will become directly applicable in the UK on 25 May 2018. Among other things, the GDPR will have a greater territorial scope, covering data controllers and processors not only in the EU but also those outside which process personal data of EU residents. It also provides for greater fines for breaches as well as a requirement for controllers to notify data breaches to the supervisory authority and the data subjects affected without undue delay, and for processors to likewise notify the controllers. Certain controllers and processors will have to appoint a data protection officer (DPO) who will inform and advise the controller or the processor of their obligations under the GDPR and will to monitor compliance with it, as well as co-operating with the supervisory authority.
What steps should organisations be taking now to implement the GDPR?
Fundamentally, the GDPR requires organisations to take a more pro-active and conscious approach to data privacy compliance. To achieve this, an understanding is required of how the business uses personal data:
- who collects it
- for what purposes
- with whom it is shared, and
- under what conditions it is stored
‘Data mapping’ (see below) would provide the organisation with this overview of how the business uses data, and then an analysis of the requirements of the GDPR, for both controllers and processors, can be carried out against the activities of different teams or departments within the organisation. This ‘gap analysis’ allows for the identification of discrepancies between the controls called for by the GDPR and the current practices of the organisation, and leads on to the building of an implementation plan with targeted actions, relevant to particular parts of the business, which need to be taken to bridge the compliance gap.
At the outset of any GDPR compliance programme, consideration should be given to the appropriate risk profile for the organisation. Factors such as:
- the organisation’s industry or sector (and how heavily it is regulated)
- its size
- its geographic footprint
- the sensitivity of the data it typically handles, and
- the expectations of its customer base
These factors can all influence the scope of the GDPR compliance programme it needs to put in place, both in the run-up to May 2018—when an organisation will generally be identifying key compliance gaps and taking remedial steps—and thereafter, when the programme will be managing day-to-day data privacy compliance within the organisation. ‘Right-sizing’ in this way is essential in ensuring the correct budgetary approval is secured within the organisation to build a lasting privacy compliance programme, properly adjusted to the organisation’s particular challenges.
Do you have any tips on how organisations can build and integrate a GDPR implementation plan?
As above, building an implementation plan, containing a list of actions which an organisation must take in order to move towards GDPR compliance, is only possible following an analysis of how far current working practices align with the GDPR. Ideally you will want to have an open and honest discussion with key stakeholders about this, from areas of the business such as marketing, IT, operations, HR, compliance, etc. Many organisations find it helpful to bring in a third party, such as a law firm or consultants, to help with this project. This exercise should help identify the key areas that will need attention to achieve an effective compliance position.
Flowing from the gap analysis should be an actionable list of steps which the organisation can take in order to improve its compliance position. These may be as concrete as drafting or revising a particular policy or set of contractual terms, but may also be broader actions relating to the governance or management of the organisation, such as opening up regular channels of communication between parts of the organisation identified as data intensive and the privacy compliance function or data protection officer.
What is data mapping?
The term covers a range of activities, but in the world of data privacy compliance it generally describes a process of investigating and understanding how personal data flows through an organisation. This may be done on a system-by-system basis, by analysing what personal data, if any, passes through or resides upon the key IT platforms and applications used by a business (e.g. a customer relationship management platform or a document management system). Alternatively, it can be approached on a process-by-process basis, by analysing the personal data which is collected and used for a particular business process (e.g. a recruitment function or an online marketing campaign).
Technologies exist which may enable an organisation to partially automate the data gathering required for this process. However, in practice, data mapping also typically relies upon a process of interviewing key stakeholders within the business about their use of data, and manually auditing example records.
Ultimately, the data-mapping process serves two important functions. First, it enables an organisation to begin building the record of processing activities which a controller is required to maintain under Article 30 of the GDPR. Second, it forms the basis of a gap-analysis assessment, whereby the compliant position under the GDPR can be compared with the organisation’s current practices.
Do you have any practical tips on how to manage data mapping?
It is important for an organisation to have a clear view on the level of detail which it requires from a data-mapping exercise. Is the goal to forensically examine all instances of personal data across all systems or is it sufficient to understand, in broader terms, the key types of personal data used by each team? A forensic data-mapping exercise produces the most complete basis for analysing the organisation’s current level of compliance, but can be a lengthy and costly exercise.
Ultimately, it should be noted that any data-mapping exercise will only produce a snapshot of data usage at a particular moment in time. Under the GDPR, an organisation will need to have an awareness of how its use of personal data changes and evolves over time, and the record of processing activities will need to be a living document. However, the snapshot produced by a data-mapping exercise will serve as a baseline position for the organisation’s use of data, which can then be amended as new processes are instigated or current processes are reconfigured or shut down.
In our experience, it is beneficial to build an element of face-to-face discussion into the data-mapping exercise. While an understanding of personal data flows can be gleaned from a desktop analysis of a system or its records, and while paper-based questionnaires about data usage can be useful, it is often in an interview setting that a fuller discussion about personal data and its relevance to a particular team can be opened up with clients or colleagues.
For more information, see Journal article: People, processes, technology—a how to guide to data mapping: Privacy and Data Protection, PDP 16 8 (6).
What are the different implications for the public and private sectors in preparing for implementation of the GDPR?
A key challenge for the public sector will be reconciling budgetary restraints on a compliance programme with the extra focus and scrutiny which is often placed on public sector bodies to operate in a compliant manner. One of the strongest mitigators against excessive cost can be preparing in a timely manner—arguably it is therefore particularly important for public sector organisations to address, as soon as possible, the steps they need to take in the run-up to 2018. As with the current regime, public sector organisations will have to balance and reconcile their GDPR compliance programme with compliance with the information rights regime surrounding the Freedom of Information Act 2000.
For the private sector, one of the top priorities for many boards will be assessing their businesses’ potential exposure to risk. Based on the group’s turnover and its approximate exposure to EU personal data, they will be assessing the sorts of fines which could, theoretically, be imposed under the much heavier new enforcement regime, not to mention the increased risk of personal court challenges (including, potentially, class actions). This will need balancing with the cost of investment in making the necessary changes, which can, in some areas be substantial, and an assessment of what peer organisations are doing.
Aside from financial risk, implications for the private sector will vary greatly sector by sector. Consumer-orientated businesses, such as those in the retail or hospitality and leisure sectors, will have particular challenges concerning transparency and data subject rights. Meanwhile, businesses in heavily regulated sectors, such as financial services, insurance or health care, may be more concerned about the new data breach reporting requirements.
What is the role of DPOs and what knowledge and experience must they have to carry out the role? Do they have to make themselves known to any specific regulatory bodies?
The first question for many organisations will be: ‘Do we need a DPO?’ The default rules in Article 37 of the GDPR concentrate the legal requirement to appoint a DPO on organisations which, as a core activity, systematically monitor data subjects on a large scale, or process on a large scale special categories of data (i.e. so-called ‘sensitive personal data’). Recent guidance published by the Article 29 Working Party provides some further details and concrete examples on when a DPO must be appointed. It should also be noted that Member States will be able to gold-plate Article 37 of the GDPR and extend the legal requirement to appoint a DPO to a wider range of organisations.
However, in our view, even where the technical requirement to appoint a DPO is not triggered, the level of compliance demanded by the GDPR, and the active management it will require, advocates strongly for the appointment of a DPO in most cases.
The DPO is required by Article 37(5) of the GDPR to have expert knowledge of data protection law and practices and must be adequately equipped, both in terms of capability and available resources, to accomplish the tasks set out in Article 39 of the GDPR. The GDPR indicates, and it is confirmed by the recent Article 29 Working Party guidance, that a DPO can be a third party instructed to carry out a DPO function under a service contract.
For more information, see Practice Note: The General Data Protection Regulation—Data Protection Officers and in particular the main section on Data Protection Officers and Precedent: Data protection officer (DPO) job description and role profile.
How should firms go about making data protection impact assessments (DPIAs)? Do you have any best practice tips for complying with this element of the GDPR?
A preliminary challenge is to build DPIAs into the way an organisation operates, so that the need for a DPIA can be identified early on, and an assessment can be carried out in sufficient time before a new system or process commences to allow for any recommendations arising from the DPIA to be considered and implemented. The principle of ‘privacy by design’ depends upon an organisation being privacy savvy, and on an awareness of the need to consider privacy issues, and therefore the potential need for a DPIA, across all business functions (and not just within the legal or compliance teams). Amending policies and process maps to include references to DPIAs, or adding an approval layer involving the DPO, can be ways of ensuring that new proposals are, where necessary, taken through the DPIA process.
A good DPIA will often act somewhat like a small-scale compliance review. It will ascertain the types of personal data which the new project will process, and the purposes (and therefore legal bases) for that processing. It will then identify the gaps between the proposed way of working and a compliant GDPR position, perhaps assigning a risk rating to each gap based on the size of the technical breach of law and the practical risk of exposure or enforcement action. It will then recommend remedial actions which the project team should consider implementing in order to reduce privacy risks.
For more information, see Practice Notes: The General Data Protection Regulation—Data protection impact assessments, Privacy impact assessments, Precedent: Privacy impact assessment and Journal article: A practical guide to impact assessments: Privacy and data Protection, PDP 16 7 (5).
The views expressed by our legal analysis interviewees are not necessarily those of the proprietor.
Back to top
Preparing for the GDPR
This Checklist covers issues which UK-based organisations should consider when looking to prepare for the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR). This Checklist should be used alongside Practice Note: The General Data Protection Regulation.
The GDPR’s provisions will be directly applicable and fully enforceable in all EEA Member States from 25 May 2018.
This Checklist is ordered as follows:
- initial steps: these are the general questions which an organisation needs to consider when preparing its GDPR compliance programme
- compliance review: these are the more specific high-level matters which organisations need to consider as part of the compliance review
- outputs: it is likely that a compliance review will indicate that a number of changes are necessary or desirable across the organisation, and
- continuous review: organisations should ensure that they keep the GDPR under constant review
- Who needs to be informed about the GDPR and what is the state of their knowledge?
- senior management
- legal and risk management teams
- other key stakeholders
For more information, see Practice Note: The General Data Protection Regulation.
- Where relevant, which supervisory authorities (SAs) will the organisation come under (e.g. the ICO)?
Which one will be the lead SA?
For more information, see Practice Note: The General Data Protection Regulation—Changes in regulatory oversight.
- What law and guidance applies? e.g.:
For more information, see Practice Notes: The General Data Protection Regulation—Territorial scope and Extra-territorial reach under the GDPR.
- Who will be responsible for the organisation’s compliance?
Will there be a sponsor at board level?
- What planning, skills and resources are required for the compliance review?
- What special rules does the organisation need to be aware of? In particular:
- sensitive data (‘special categories of personal data’)?
- international transfers of data
What is the organisation’s appetite for risk and approach to compliance matters generally?
- Have the following been considered?
- contracts which the organisation has entered into and which are still in force?
- contracts which are currently being negotiated?
- approach to future contracts?
- How will the seven principles of processing personal data be built into compliance?
For more information, see Practice Note: Data protection principles under the GDPR.
- How will data protection by design and default be built into compliance?
For more information see Practice Note: The General Data Protection Regulation—Data protection by design and by default.
- How will data subjects’ rights be implemented (including new rights such as the right to be forgotten and data portability)?
For more information, see Practice Note: The General Data Protection Regulation—Rights of the data subject.
- To what extent is the organisation exposed to changes introduced by the GDPR?
What does it need to do to accommodate them (e.g., the obligation to ensure consent can be withdrawn as easily as it was given)? For more information, see Practice Note: The General Data Protection Regulation.
- What will be the legal basis for processing personal data (in particular in relation to any reliance on consent, which is more prescriptive under the GDPR)?
For more information see Practice Notes: The General Data Protection Regulation—Lawfulness of processing and Consent under the GDPR.
- To what extent will data protection impact assessments need to be undertaken?
For more information see Practice Note: The General Data Protection Regulation—Data protection impact assessments.
- Can any steps be taken to reduce the compliance burden (e.g., ending transfers of personal data to outside of the EEA?)
For more information, see Practice Note: The General Data Protection Regulation—Data protection impact assessments.
- Will a Data Protection Officer (DPO) be appointed?
- is it mandatory?
- is it desirable (if voluntary)?
- should it be outsourced?
- should it be full or part time?
For more information, see Practice Note: The General Data Protection Regulation—Data Protection Officers (DPO).
- Do any legal governance, risk management and compliance systems need to be considered when seeking to comply with the GDPR?
- What changes will be made to business processes (e.g. to factor in the new expanded fines under the regime under the GDPR)
For more information see: Sanctions and enforcement under the GDPR.
- What documents and notices need to be updated?
What will be the approach to making the necessary or desirable changes to contracts and other compliance documents, e.g., privacy and fair processing notices and policies?
- What competitive opportunities does the GDPR present (if any)?
- What cultural changes are necessary within the organisation and how will these be delivered?
- What new processes will be necessary or desirable to comply with access requests by data subjects?
Should an internet portal be set up?
For more information, see Practice Note: The General Data Protection Regulation—Rights of the data subject.
- Is there a strategy for GDPR compliance?
What matters should be prioritised?
For more information, see Practice Note: The General Data Protection Regulation—A strategy to become GDPR compliant.
- What systems will be implemented to ensure that any new developments (legal or commercial) are factored into the GDPR compliance programme?
- Should more comprehensive audits be undertaken?
- an internal audit (whether in whole or in part)
- an audit by the ICO (an ICO audit is potentially a public process; with the agreement of the organisation, the ICO publishes the executive summary on the ICO website)
Back to top
ICO to evolve policies on subject access requests in light of court rulings
Two recent Court of Appeal judgments in Dawson-Damer & Ors v Taylor Wessing LLP  EWCA Civ 74, and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford  EWCA Civ 121have clarified the law on subject access requests (SARs), i.e. that data controllers can take into account difficulties which occur throughout the process of complying with a request. As a result of these rulings, the Information Commissioner’s Office (ICO) is working on updated guidance on the Data Protection Act 1998 (DPA 1998) relating to data protection, CCTV and SAR codes of practice. Upcoming ICO guidance is also aimed at helping organisations understand the General Data Protection Regulation (GDPR). See LNB News 06/07/2017 22 for more information.
Court of Appeal dismisses appeal on Environmental Information Regulations 2004
A purposive application of reg 2(1) of the Environmental Information Regulations 2004, SI 2004/3391, required information to be considered in its context and not restricted by what the information was specifically, directly or immediately about. Accordingly, in Department for Business, Energy and Industrial Strategy v Information Commissioner and another  All ER (D) 64 (Jul),  EWCA Civ 844, the Court of Appeal dismissed the appellant Department for Business, Energy and Industrial Strategy's appeal, as the Upper Tribunal (Administrative Appeals Chamber) had been correct to find that a project assessment review had been 'on' the government's smart meter programme for the purposes of reg 2(1)(c).
Local authority did not breach data protection principles when publishing documents (Hussain v Sandwell Metropolitan Borough Council)
Hussain v Sandwell Metropolitan Borough Council  EWHC 1641 (Admin)
The Administrative Court dismissed the application by the claimant elected member of the defendant local authority for judicial review of the defendant's initiation of formal investigatory procedures and publication of certain documents relating to that investigation. Amongst other things, the court found that the local authority had not erred by publishing the documents, which had been within its powers and had not been in breach of data protection principles.
Back to top
Government outlines data sharing and cyber security improvements across the NHS
A response document from the Department of Health’s (DH) data sharing and cyber security team sets out the government’s response to the National Data Guardian’s (NDG) review on data security, consent and opt-outs, and the Care Quality Commission’s (CQC) review ‘Safe Data, Safe Care’. It provides a summary of consultation responses and outlines the government’s proposed approach. See LNB News 12/07/2017 101 for more information.
Article 29 Working Party publishes Opinion on data processing at work
The Article 29 Working Party (WP29) has published an Opinion on data processing at work. The Opinion is intended to complement the WP29’s Opinion 8/2001 on the processing of personal data in the employment context (WP48) and the 2002 Working Document on the surveillance of electronic communications in the workplace (WP55).
Back to top