Seven steps to GDPR compliance

A folder labelled "GDPR Compliance" on a desk
(Image credit: Shutterstock)

Europe's General Data Protection Regulation (GDPR) was introduced in May 2018, replacing the previous Data Protection Directive. The law's arrival caused worry among companies big and small, as non-compliance with the updated data and privacy rules could see huge fines issues that have the potential to cripple the majority of businesses.

But complying with the new rules isn't the huge task it's been made out to be, or at least it shouldn't be for companies that prepared well and were already following existing data protection rules. However, one sticking point is demonstrating to the Information Commissioner's Office (ICO) that you're taking the appropriate steps to comply with the rules, something that will prove particularly important should you suffer a data breach.

GDPR was introduced to harmonise the flow of data across the European Union by standardising regulations. There was some debate at the time as to why the UK would also be adopting these new rules when it was set to leave the bloc, but the rules don't just apply to companies based in the EU. Rather, it governs the use of EU residents' data irrespective of where the organisation processing that information - the data controller - is based.

Following the introduction of the rules, the UK decided to follow suit and update its own data protection laws in line with GDPR by introducing the Data Protection Act (DPA) 2018. This supersedes the previous Data Protection Act, which came into force in 1998 and currently sits alongside GDPR when ruling on data protection cases in the UK. GDPR is set to be enshrined into UK law as part of the European (Withdrawal) Act.

GDPR (and, by consequence, the DPA 2018) has many parts and can be confusing for any business no matter what size, or whether they've audited their data usage or not. The law gives people the right to view the data that's held about them and ask for it to be removed if they're not happy with it. It also offers guidelines for data controllers and data processors, who are responsible for collecting and processing data within an organisation (which, in some cases, will be third parties).

In the UK, compliance is governed by the ICO, which will ensure the guidelines are adhered to and issue penalties if businesses don't comply.

If you aren't already compliant with GDPR, the time to act is now. While the ICO will likely monitor compliance by focusing on companies that suffer data breaches if you aren't compliant with GDPR, those breaches might be more likely to occur, and fines will likely be higher for breached firms that demonstrate little effort on complying with the law.

Here are seven steps to guide you towards compliance, as well as a bit more information on what GDPR entails, you can find our full guide here.

What is GDPR?

The General Data Protection Regulation is replacement legislation for the 1995 Data Protection Directive, which until now set the minimum standards for processing data in the EU.

The new rules affect every member state and every company that processes data, but they fall particularly hard on those that hold and process large amounts of EU residents' personal data, like marketing firms, social media sites and the data brokers who connect them.

It's also essential for firms whose business models rely on acquiring and processing consumer data at scale to pay close attention to the new requirements. If companies rely on consent to process data, that consent now has to be explicit, informed and renewed if the way the data is used changes after its original collection.

GDPR comprehensively offers individuals more power to demand companies reveal or delete any personal data they hold on them. Not just photos or documents, but basic things like names and social network posts also count as personal information.

In the UK, the old DPA allowed people to find out what data companies held on them, but allowed organisations to charge a fee for handing over this information. This fee has been scrapped under GDPR, and organisations must be able to share that data quickly, as well as delete, amend or send it to another company on the individual's say-so.

Regulators also now have the power to work in concert across the EU for the first time, instead of having to launch separate actions in each jurisdiction. Their enforcement actions also have real teeth, with the maximum fine of up to 20 million or 4% of a company's annual worldwide turnover, whichever is greater.

With Brexit negotiations still ongoing, see the Information Commissioner's Office's overview for the most up-to-date information.

In the meantime, these seven steps should help you avoid falling foul of the law.

Step one: Focus on data protection by design

In order to stay compliant, businesses are expected to put the customer at the core of every decision made or process carried out. That means baking data protections into every activity, regardless of the nature of your business. It's this forward planning that data regulators are particularly concerned with, as they want to see that businesses are thinking and behaving responsibly with any data they collect.

This is particularly important for any company that relies on third-party processors as part of their business model - new joint liability clauses mean that you will be just as responsible for data misuse even if it was entirely the fault of your partner company.

Adhering to this principle will likely require you to implement new technical and organisational measures to ensure data protection is considered at each stage of your company. All existing and new services should, for example, accommodate for the various rights given to data subjects, such as the right to access and the right to erasure, as well as making sure data processing is completely transparent.

Not only does this make adhering to GDPR far easier, but it also serves to help you get ahead of any complications you might encounter further down the line. Should your company fall victim to a data breach, being able to show that you did as much as you could to safeguard user data and uphold their rights as data subjects will go a long way to appease any investigating data regulator.

RELATED RESOURCE

Don’t just collect data, innovate with it.

Removing the barriers to the experience economy

FREE DOWNLOAD

Step two: Ensure you remain accountable

Adopting privacy-centric business processes is crucial, but it's not enough: you must also be able to prove that you've done so if asked. That means documenting the discussions and processes that contributed to your final implementation. This is as much a protection for yourself as it is a way of reassuring your customers since it enables you to show that the available protection measures were considered and incorporated in your business.

On top of this, any staff who might handle personal data must be adequately trained; you need to devise and implement a robust internal data protection policy that complies with every aspect of GDPR.

If you have more than 250 staff members then some additional requirements apply: you need to retain written internal records of all data processing activities, descriptions of technical and organisational security measures, and documentation of any safeguards applicable to data-transfer mechanisms, among other details. These may be requested by a supervisory authority (in the UK, the ICO to check your compliance, so the more detailed and extensive your records, the better.

Performing a Data Protection Impact Assessment (DPIA) will help you assemble this documentation, and spot any potential weaknesses in your data protection measures. The ICO recommends conducting a DPIA whenever new technologies are used to process information in a way that could place individuals' privacy rights at risk, such as rolling out large-scale CCTV deployments.

The DPIA should include assessments of the risks to individuals, the necessity of data processing and retention, any measures you have employed to minimise the risks, and a description of your processing operations and their purposes.

Step three: Establish a lawful basis to hold and process data

There is a misconception around GDPR that consent is the primary concern to deal with. You can read more about consent here, and it certainly affects the likes of marketing firms and retailers, which rely extensively on people choosing to receive newsletters or promotion emails. But really what you must do under GDPR is establish a lawful basis for collecting data and share that with your customers.

Those lawful bases are: if you have a customer's explicit consent (which you have to ask for again if the reason you're collecting the data changes); to comply with a contract you have with the individual; to comply with the law (called 'legal obligation'); if it's in someone's vital interests - ie to protect their life; if processing their data is in the public interest, which must be weighed against their own interests; or if doing so is in your legitimate interest, which again must be weighed against their own interests.

You must choose a lawful basis for each instance of data collection (or, more likely, each type of data collection). You must document and justify your decisions, and show which basis applies to which type of data, too. Then you must ensure you tell your customers which lawful basis you're relying on by including it in your privacy notice, as well as why you're collecting that data.

As people can withdraw their consent at any time, it's not the most reliable basis for collecting people's data, so another lawful basis might prove more appropriate. But if you are using consent, be sure to explain clearly what a user is opting into and how the data will be used and make sure that the action of opting in is active, rather than passive, as GDPR doesn't allow you to rely on pre-ticked boxes, or assume that a failure to opt-out implies consent. Moreover, any conditions must be detailed separately from regular terms and conditions, so that they are more obvious.

Step four: Keep your users informed

Under GDPR, citizens and customers will have a right to contest your use of their data, or to revoke their consent to it. If you haven't already, you will need to nominate (or hire) a data controller and data protection officer to handle these interactions and make their contact details public.

These details must also be available to the supervisory authority of each member state. This is an independent body that investigates complaints on behalf of European citizens, which will liaise with supervisory authorities in other member states, which together are overseen by the European Data Protection Board.

Alongside your contact information, you'll need to provide a plain-language explanation of how customer data is used, including the purpose of data collection, any interests that the controller, collector or third-party processor might have, who will receive the data, whether it's being transferred to an external agent and more. The full list of notifications can be found on the ICO website.

Some additional obligations apply if you didn't obtain the data directly from the subject for example, if you have purchased a mailing list. In these instances, you must also notify subjects of the categories of personal data you are collecting and how you came by their information.

Step five: Be prepared to delete your data

The GDPR embodies a "right to erasure". This means that, in specific situations, subjects can request that their details be removed from your database entirely.

This might happen if a customer withdraws their consent to further processing of their data. It also includes cases where the data was obtained or processed unlawfully, or where the use for which it was originally gathered no longer applies.

There is a limited set of valid grounds for refusing such a request. These include public health or archival purposes, both of which must be in the public interest (which is distinct from being merely "interesting to the public"). You can also keep personal data in defence of legal claims, in order to comply with a legal retention obligation or to perform tasks required of an official authority.

Clearly, however, in most cases you will have to comply with erasure requests, so make sure that your systems allow you to easily identify and remove individuals' data. If you have made the data available to a third party, the onus is on you to make sure that they also comply with the erasure request. You have one month to comply with a right to erasure request, and ideally must comply without undue delay. The ICO recommends adopting a 28-day deadline for deleting data.

Step six: Be careful when using algorithms

A lot of decisions particularly online are now automated. The GDPR requires that a decision that produces a legal effect or similar must not be based on automated processing unless that processing is absolutely necessary and is authorised by law. The customer must also have given their explicit consent.

This obviously has implications for businesses selling products online, but those aren't the only ones that should take heed. All sorts of profiling activity fall under the realm of the GDPR if it's used to analyse movements (which might apply to a mapping service or social network), performance at work (which would apply to any employer), health (which could include sports clubs), personal preferences and so on.

In short, whenever you intend to use an algorithm to analyse data relating to an individual, be aware that you can't use that data to make decisions with legal implications unless the individual has specifically given you permission to do so.

Step seven: Audit your data

It's essential to audit your data collection and processing activities and update them if required. In particular, check whether any of the third-party providers you rely on are situated outside the European Union, as GDPR restricts the transfer of information beyond the bloc's borders, unless the country in question has a data adequacy agreement essentially where the EU rates the country's data protection measures as strong enough to send European data to.

And remember that once the UK completes its exit from the EU, it will itself be an external nation. It's hoped that the European Commission will agree that Britain ensures an adequate level of protection to permit EU member states to transfer personal data to British companies. If it doesn't, however, then that's bad news for any business that currently serves the EU mainland: the only option then might be to find a way to set up shop within the EU itself.

Keeping a close eye on the legal situation between now and then is absolutely essential; again, the ICO's dedicated GDPR pages are an essential bookmark.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.