The UK Information Commissioner, Elizabeth Denham, has been vocal about the fact that GDPR compliance is not a moment in time event, but requires ongoing commitment. In her own words, "May 25th is not the end. It is the beginning". With that message in mind and with a bit more breathing space nine months on, what should you be thinking about now?
It could be looking more closely at internal compliance, updating policies and procedures based on new guidance and business developments, refreshing training, or ensuring your strategy remains appropriate based on evolving market practice. Wherever you are in your compliance plan, it's never too late to take stock and consider what more can be done.
Adopting an ongoing culture of compliance will help protect your business against the risks of financial and reputational harm materialising from poor data protection management. It helps demonstrate accountability when things go wrong and can enhance public trust in your brand.
What should you be thinking about now?
With nine months of new guidance, learning and early enforcement action since 25 May 2018, it's a good time to dust off the GDPR and think about next steps. Here's nine things to be considering (both now, and on an on-going basis):
1. Updates to existing policies and procedures
Check whether your policies and procedures need updating as a result of new guidance or business expansion and changes. In particular, the guidance on transparency and consent from the Article 29 Working Party (now European Data Protection Board) and the UK's ICO were not published until shortly before the GDPR came into effect (in April and May 2018 respectively).
For many organisations, this was too late. The pressure to be GDPR-ready in advance of 25 May 2018 meant they had already published updated privacy policies and other GDPR documentation or there was no time remaining to redraft them. The guidance provides useful interpretation of the GDPR's requirements and emphasises data subject trust and expectations, key areas of current regulator focus.
2. New policies or procedures
If budget or resource constraints limited your compliance activity last year, think about whether your current suite of policies and procedures needs extending to ensure an on-going culture of data protection responsibility. A few internal ones to consider are:
- a Data Handling Policy setting the company's standard for compliance and educating staff on how personal data should (or should not) be handled in accordance with GDPR principles;
- a Data Retention (or Records Retention) Policy to help staff ensure personal data are not kept for longer than necessary; and
- a Data Subject Rights Policy to guide relevant staff through the handling of individuals' requests in a compliant way that best protects the interests of the business.
Also, remember that good compliance requires more than just good documentation: the documentation needs to be disseminated to the business and implemented and enforced.
3. Supplier relationships
If you haven't already, think about how you will procure new suppliers that handle your personal data. Article 28(1) of the GDPR requires that due diligence is undertaken to ensure the proposed processor offers "sufficient guarantees" for compliance with the GDPR and safeguarding individual rights.
Consider how this process can be documented and implemented in your organisation's procurement procedures so you can demonstrate that this requirement is met. In particular, for suppliers who were already in place before May 2018, existing due diligence may have been limited or non-existent. Likewise, in the scramble to update contracts for Article 28 pre-May, due diligence aspects may have been put to one side. If so, it would be sensible to ensure such due diligence is now completed.
You should also check that contracts with data processors include the prescriptive requirements set out in Article 28 on an on-going basis. Remember that these requirements are not black and white and there is some flexibility in the way they are drafted to help meet the needs of both sides.
4. Privacy Impact Assessments
Ensure that you have a robust framework for Privacy Impact Assessments (PIAs), which must be carried out where the processing is likely to result in "high risk" and which aligns with the ICO's updated guidance on PIAs published in late 2018.
PIAs are a key part of the GDPR's philosophy of privacy-by-design, which encourages identification of specific privacy risks at the outset of new processing, enabling appropriate mitigation measures to be built in. A template PIA Policy and guidance can ensure that privacy issues arising from business change are properly and consistently identified and managed.
5. GDPR training refresh
Start planning annual GDPR refresher training and, if not implemented already, consider the introduction of more advanced training for staff that regularly handle personal data, such as the sales and marketing; HR; IT; and customer services teams.
GDPR training is not a one-off exercise and should be regularly undertaken and recorded as part of an organisation's accountability obligation. The ICO takes training seriously and it is usually one of the first questions the ICO asks when things go wrong.
6. Data transfers and no-deal Brexit
If you transfer personal data from other EEA countries to the UK, think about how a "no-deal" Brexit will impact the lawfulness of those transfers. If there is no deal, then the UK will become a "third country" for the purposes of the GDPR on 29 March 2019, meaning personal data cannot be transferred to the UK after then unless: (a) the UK is granted an "adequacy" status by the European Commission (which will take time); (b) certain safeguards are in place, such as EU "standard contractual clauses"; or (c) a limited derogation applies.
Therefore, while "no deal" remains a possibility, consider updating your contracts to:
- ensure you have the right to transfer personal data out of the EEA to the UK; and
- include standard contractual clauses, a permitted safeguard, until such time that the UK is granted adequacy.
You should also consider these aspects in relation to onward sharing of data received from the EEA with your data processors and other third parties.
You can read more about the implications of Brexit on data transfers here.
7. Security breaches and ICO enforcement
Consider whether your staff know what to do in the worst-case scenario – if there is a security breach or if the ICO commences any enforcement action. Preparing for a crisis will help you to swiftly take defensive steps to mitigate the serious reputational and financial consequences that can follow when things go wrong.
Consider a Data Breach Policy, guidance on managing regulator interactions and training, including through crisis simulation or “war-gaming” exercises. Our Cyber 365 product can help with this aspect. Please contact us if you would like further details.
8. Compliance strategy
Review your on-going compliance strategy. A key part of assessing data protection risk is understanding how the GDPR is likely to interpreted and enforced by regulators. Therefore, it is worth looking at GDPR enforcement action to date and ICO policy to evaluate whether your strategy is still appropriate.
In the UK, the ICO has yet to issue its first GDPR fine but there has been a trend in recent years of the ICO upping the ante with increasing fines for flagrant non-compliance with data protection laws, particularly with data aggregators and direct marketers.
The ICO has also published a Regulatory Action Policy in which it confirms that its enforcement policy will be "transparent, consistent and proportionate" and sets out aggravating and mitigating considerations that the ICO will take into account in determining appropriate enforcement action.
9. One year audit
Think about any necessary processes and controls to audit the businesses' implementation and compliance with privacy safeguards. To be meaningful and accountable, compliance requires more than just good policies and procedures; they must actually be shared with and followed by staff. Compliance needs to be recorded, audited and enforced appropriately with any outcomes properly documented and lessons learnt.