GDPR – Top things to think about
Here are some things to think about – there may be more. If in doubt, please visit ICO.
Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Information you hold
You may need to organise an information audit on personal data you hold, where it came from and who you share it with. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with. You should document this.
Communicating privacy information
Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and those individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language.
Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. The GDPR includes the following rights for individuals:
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object;
and the right not to be subject to automated decision-making including profiling.
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?
Subject access requests
Update your procedures and plan how you will handle requests within the new timescales and provide any additional information. The data will have to be supplied for free and within a month.
Lawful basis for processing personal data
Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. For example; what you will do with data and why you collect it. What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This doesn’t apply if you are a public authority processing data to perform your official tasks.)
Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Make sure you have the right procedures in place to detect, report and investigate a personal data breach. It should be something you are doing or can do already as this is a DPA requirement currently. Under the new regulations you will have to investigate and report quickly, within 72 hours.
Data Protection by Design and Data Protection Impact Assessments
Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation. Data protection impact assessments (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller. The DPIA should contain:
- An assessment of the necessity and proportionality of the processing in relation to the purpose.
- An assessment of the risks to individuals.
- The measures in place to address risk, including security and to demonstrate that you comply.
Data Protection Officers
Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. Consider whether you need a Data Protection Officer (DPO). For guidance on this, visit the ICO.
If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.
Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out what needs to be included in the contract.
©2018 MotoNovo Finance.
MotoNovo Finance, a division of FirstRand Bank Limited (London Branch). Registered in England (Branch Reg. No: BR010027) at Austin Friars House, 2-6 Austin Friars, London, EC2N 2HD. FirstRand Bank Limited is authorised and regulated by the South African Reserve Bank. Authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request. FirstRand Bank Limited (London Branch) is a branch of FirstRand Bank Limited, a public limited company registered with the Companies and Intellectual Property Commission in South Africa (Reg. No. 1929/001225/06) Head office: 4 Merchant Place, Corner Fredman Drive and Rivonia Road, Sandton 2196, South Africa