I’ve been meaning to write for a while from the perspective of website owners and operators about the new European Union’s (EU) General Data Protection Regulation (GDPR) which comes into force May 25, 2018. This is following my previous post “What effect does the GDPR have on my website” in which I looked at cookies.
I’ve seen articles pointing out the highlights of GDPR just rewriting the articles using different language so I’ll try not to do that. I will keep it brief, using simple language and where possible will use examples that mean something to website owners. I might not cover everything but hopefully, I will capture the main points that website owners need to be aware of and maybe that will help others too.
I have read the GDPR from cover to cover only once but the 99 articles several times. I think I now understand it well enough to make a good stab at explaining the key points and can suggest ways to implement and satisfy the regulation. In this article I am only going to concentrate on some of the provisions, principles and rights of individuals laid out in Chapter’s I, II and III of the GDPR that I think are most important to website owners.
Just for the record, I am not a lawyer and do not represent my employer. Everything in this article is my opinion to help aid discussion, nothing more. You should not rely on it as fact and should always seek legal advice before acting on anything that might have consequences to you or your company. I should be clear that what I am writing here might prove incorrect but it is written in good faith as my understanding of the regulation at this time. I cannot be held liable for any actions that you or other take based on this article.
GDPR Overview
For a start the General Data Protection Regulation applies to personal information about European Union citizens but it can affect any person or company that stores and processes data on EU citizens globally.
The GDPR, adopted in 2016, will replace the previous Data Protection Directive of 1995 and will be enforceable starting on 25 May 2018. Companies were given 2 years to get their house in order which is why it was not enforced sooner.
A large proportion of the GDPR is taken up with governance and the workings of the GDPR rather than the rights of individuals and I won’t cover that here. I also won’t cover the special circumstances that public authorities or certain industries have where some parts of the regulation do not apply or are relaxed. Before we get stuck into the principles and individual rights of the GDPR there are few things I just want to mention.
- Data breaches must be reported immediately as soon as discovered and no longer than 72 hours from discovery. Data breaches or non-compliance to this regulation could lead to fines of â¬20,000,000 or 4% of gross annual global revenue, whichever is the greater! I do not have any clue as to how the fine will be set but I should imagine that it will not be as straight forward as everyone being fined the maximum and will probably be based on the severity of the breach and on company actions. Early reporting, full disclosure and prompt actions might help avoid the maximum penalty.
- Anyone outside the EU does not have a right to store or process data electronically (or in organised paper filing systems) either automatically or manually without complying with this regulation and will more than likely need to have an operation within the EU with an EU-based Data Protection Officer assigned. Each member state of the EU will set up a supervisory body and possibly a certification program for regulatory compliance. In the UK, it is likely that the Information Commissioner’s Office (ICO) will be the supervisory body or involved in the appointment of one.
- Organisations are required to show how they comply with the principles of GDPR by documenting, training, auditing and reviewing processing activities and internal policies. The will be accountable to the supervisory body of the member state in which they operate. This is why I believe an organisation will require an operation in at least one EU member state if it will process EU citizen data.
- The UK was one of the 27 EU member states that signed up to this in 2016 and so it forms part of UK law. My understanding is that it will be just like all previous regulations that the UK has signed up to before it and the UK opted to participate as a member state rather than abstain. The If the UK leaves the EU (known as Brexit) then it will have no effect on the UK’s participation in this regulation. Post Brexit, the UK may wish to change that position in Parliament but I cannot see it happening, especially if the UK wants to have in a free trade agreement with the other 26 member states.
GDPR Definitions
This is a brief outline of some relevant definitions – a full list of definitions can be found in Chapter I, Article 4 of the GDPR.
- Personal data means any information that can be used to identify a real person in any way possible. You don’t even have to store their name if you have any identifier such as their UK national insurance number, employer payroll number, address (including IP address) or even your own system ID that links to one or more pieces of personal information.
- Processing means any process that is applied to the data whether that process is automated or not. Finding a record in a database is an example of a manual process and sending out a scheduled mass mailing an example of an automated one. The definition for restriction of processing means marking a record to be excluded from processing for a particular purpose. For example, indicating that a user no longer wants to be included in a newsletter distribution even though they still want to be sent special offers.
- An entity is any person, company, public authority, agency or other body. A controller is the entity that decides the purpose and means of by which data may be processed. If controller decisions are made with other entities then they will become joint-controllers. A processor follows the instructions of the controller on their behalf for processing the data. A processor cannot perform processing for any other purpose or by any other means outside of the controllers instructions. A recipient is an entity that receives data. A representative is an entity appointed by a controller or processor to act on their behalf under their authority. Third-parties are entities that are not controllers, processors or representatives.
- A filing system is any structure for storing personal information whether that is in electronic form or not. For example, medical records held on paper and stored by name in a filing cabinet are part of a filing system. For the purposes of the regulation, it is largely irrelevant where and how the data is stored, if it is structured to allow processing then it is a filing system. I would say that an encrypted backup of a filing system, is not a filing system in itself as it does not allow processing without recovery.
- Pseudonymisation is a form of processing personal data so that it no longer has any link with the original person. Any mechanism that will link the pseudonymised data with a real person must be kept separately out of the system and be subject to strict measures so that it is never used to reconstruct the original identifiable personal data.
- Personal data breach means the unlawful or accidental processing or transmitting of personal data including destruction, loss, alteration, unauthorised disclosure.
- Consent means that the person explicitly gives the information freely by way of an affirmative action, their permission to use this information for the purpose it was collected. This processing purpose and means and any implications need to be available to the person beforehand so they can make an informed choice.
Provisions, Principles and Rights
The following sections will hopefully simplify the provisions, principles and individual rights from the first 3 GDPR chapters in respect of website owners and operators. I will try not to include other types of record-keeping or processing outside of websites or unusual circumstances so it is in no way a complete breakdown. You should take legal advice or read the regulation yourself – as far as legal documents go I think it is well written despite it still jumping around with references articles in later sections.
For website owners of sites that are completely static, so do not collect any data even for analytics or advertising, then there are no changes. There will not be many sites that have no advertising, do not pass information to other sites and do not collect any data for analytics but there might be some.
GDPR Provisions
The GDPR provides the rules to protect natural persons (data subjects) and give them rights for data storage and processing. In particular a person has the right to protection of their personal data in any format where it is stored as part of a filing system for the purpose of processing. From the definitions, a filing system can include an ordered paper filing cabinet or a database on a server. Processing means doing anything with the data such as searching for a record. Protection also includes the transmission of personal data. Keeping a person contact address book or your own personal account of which relation owes you money is excluded for the GDPR.
For website owners, make sure your database and any backups are encrypted (even if you keep a copy in say Excel on your computer) and that you operate your website with transport layer security.
For Non-EU website owners, the inclusion of website operations outside of the 27 member states means that personal data can be processed outside of the EU as long as you have a controller within the EU but there is also a provision to have a controller outside of the EU. The GDPR applies regardless of whether the goods or services offered require payment. If your website can be seen by people in the EU and you collect any personal data for any reason then you need to adhere to it or face the consequences. From the definitions a controller is a person that makes decisions on how the data will be processed.
For website owners outside the EU who collect or use personal data of EU citizens either stop that practice before May 25 or make any changes needed to comply with the GDPR.
GDPR Principles
Personal data shall be processed lawfully, fairly and be transparent to the data subject. It should only be processed for the purpose that it was originally collected/obtained and only data that is used for that purpose should be retained. It must be kept up to date and you must do everything possible to make sure you are processing accurate data. It must be only be stored in a form which permits identification for no longer than is necessary to fulfil the purpose it was collected. Inaccurate data must be erased or rectified immediately and old data deleted. Personal data must be protected using technology or company procedures to prevent unauthorised or unlawful processing, accidental loss, destruction or damage.
For website owners that store any personal data, there’s a lot to cover here. I would advise that you review your manual and automatic procedures and document them if not already done. Make a note of the purpose of the data you have, look at your processes, make sure there are no security gaps in those processes and only people that need to have have access to that data do so. Make sure you have a process set up to delete personal data that you no longer need or have a way of making it unidentifiable.
You will also need a procedure for checking the accuracy of data and to allow the data to be corrected. I would set up an annual review for people to be able to check their data and notify you of changes. You can forced them to review on login or communicate by email that they should login and change their details. I’ll cover more about this in the rights section below as it is going to be much easier on you if your website only allows people to correct data themselves.
To cover transparency, I would set up a page on the website to state what personal data you collect, why you need it and how/when it is used/processed. If you later decide that you need to process it for another purpose you will require individual consent for that unless it is to comply with Union or Member State law. It is best to consider your all of your processing needs now, then be open and honest on your website and stay true to it.
Consent to processing must be given on or after May 25 unless the data has been collected before May 25 or is part of servicing a contract that does not require the processor to obtain individual consent. For example, if you a a payroll processor and a company sends you their staff personal data for processing then you do not have to get individual consent from each individual. Consent would likely have been given in the employees contract of employment. Multi-nationals might also ask employees to consent to having their data processed outside of the European Union where it is more cost effective to do so.
If consent is required it must be clear to what the person is consenting and it must not be tied in with other unrelated text. Consent must be provided with an affirmative explicit action on behalf of the data subject. It must be just as easy for someone to withdraw their consent for you to process their personal information as it is to consent to it.
For most website owners that means getting a new user to consent to processing and that can be done as part of the sign up process. However, make consent to data processing stand out from any other terms and conditions or treat it separately from the T&C. You will also need to add in a prevision for a logged in user to withdraw consent using a similar easy and free method. Withdrawal of consent might mean that the user account needs to be closed because without consent the user can no longer participate on the website or perhaps if they are consenting to processing in more than one way, they might want to withdraw consent for one or more purposes without closing their account. You cannot ask a user that has consented via the website to need to telephone a help-desk to withdraw consent. More on website changes are covered in rights.
Consent cannot be given to any person under the age of 16 years so any consent needs to be authorised by the holder of parental responsibility. The age can be lowered by individual member states but no lower than 13 and in the UK it is 16.
For website owners that allow people under the age of 16 to sign up, consent for data processing needs to be given by a parent. This means that you need to make sure you have a provision in your sign up process to allow for parental consent or you stop providing services (and processing data) to people below that age.
It is prohibited to process some special categories of data unless explicit consent to that processing has given by the data subject and you have good grounds to do so. Although some member states may not allow that data to be processed regardless of grounds or consent. For example, Germany might not allow personal data that reveals ethnic origin to be processes.
The special categories of personal data include:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade-union membership
- genetic or bio-metric (where it uniquely identifies someone)
- health
- sexual orientation
There is a further special category of personal data that has not been included above and that relates to criminal convictions and offences or related security measures as that data can only be stored and processed by the appropriate authorities.
However, if the data subject has themselves explicitly made any of the information in the special categories public and it is still public at the time of processing then it may be processed. I would be careful here because it would be up to you to prove that the data subject had made it publicly available at that time and it would probably be easier to gain consent before processing.
For websites, you should steer clear of directly recording any of the special categories of information unless you have very good grounds to do so and can obtain explicit consent to do so. If you need to collect any of this information then make sure you have a way for people to give explicit consent for you to use that and be careful how you use it in processing.
You can process data in anyway you like if it is not personally identifiable or can never be linked to a natural person. A data subject cannot ask you to change something that can no longer be identified back to them. You might be asked to prove that the data cannot be personally identify an individual. If you have an identifier that is common on a separate but unrelated system then it can be identified even if it is not easy to do so.
For website owners wanting to process data for say analytical purposes it is best to store that data in a way that it can never be traced back to the original person. For example, don’t store IP address so you can later work out the location – convert the IP address to a geographic location and store that, discarding the IP address.
GDPR Rights
All EU citizens already have certain right with regard to data stored and processed in filing systems but from May 25, 2018 the position has been clarified and with the new regulation superseding the previous DPA. In this section I will cover the important aspects of the rights of an individual.
Cadence
If a data subject exercises any of their rights by making a request the data controller must take action without undue delay and within one month of the receipt of the request. Where it is not possible to take action within one month, the data controller must inform the requester of the delay, validating the reason for it, within two months of the request and must under this circumstance take the action within three months of the original request.
The data controller cannot refuse the request unless the data controller can prove that the requests from the data subject are manifestly unfounded or excessive, particularly in the case of repetitive requests then the data controller can either charge a small fee for the request or refuse to act – the onus of proof is on the data controller.
The action of the request must be free of charge to the requestor unless as mentioned above for excessive requests for the same information.
For website owners, it really will be best for you if you make every type of request an action that can be achieved automatically through your website by the data subject rather than rely on manual processes. Obviously, if a request cannot be performed by a standard action or by a process you have yet to automate on the website then the requester needs a simple form to complete to request that action. I would really recommend getting as much as possible automated before 25th May 2018 as there will be people that will want to express their rights on or shortly after May 25. If you do not have the provision of information automated then you should include information about the definition for reasonable and excessive requests.
The data controller must take reasonable steps to satisfy themselves that the data subject and the identity of the requester are the same person or in the case of a child that the requester is indeed the holder of parental responsibility or if the child is making the request that authority is obtained by the holder of parental responsibility.
For website owners that provide a login, this is fairly straight forward, just provide all requests as actions the user can take themselves and a contact form for unusual requests. A mechanism should also be provided for people that have forgotten their login details or are unsure if you have any of their personal data. In these cases make sure you have a request form on your website with suitable identifiable fields to satisfy the identity of the data subject and a telephone number to contact them. You can then search for them based on the identifying details. If you do not have enough details to make sure they are the correct person then you may need to have a telephone call to satisfy yourself with some additional questions that only the true data subject will know the answer to. I would keep a separate log of all requests whether handled by the website or manually and if the request wasn’t via a secure login then record the identity proof that was obtained. This may be required by any supervisory or certification body in the future.
Transparency
If you are collecting personal data then you need to make the data subject aware at the time that the data is being collected of certain items.
Items to be provided include; the data controller contact details (and that of any representatives), the data protection officer (if applicable), the purposes and legal basis for processing, the categories of personal data, any third-party processing (if applicable), the recipients of personal data (if any), the fact that the controller intends to transfer of data outside of the EU (if applicable), the period of data retention or the criteria used to determine that period (such as whilst you are a member), the details of the supervisory authority for complaints, if there are any consequences of not providing data (such as you will not be able to participate in the website), the existence of any automated decision-making including the logic behind them and the rights and process of the individual including withdrawing consent and the right to object.
If the personal data has been provided but has not been obtained from the data subject on or after May 25, 2018 then the controller shall provide the data subject with the information as if they were collecting within one month of obtaining it but also provide the data subject with details of the original source of the data and if applicable the public sources of the data.
If the controller decides that there is another purpose for which they need to process the data, the controller shall provide the same information as above to the data subject including the right to withdraw consent.
If the controller already has the personal data before May 25, 2018 then the above disclosure does not apply to but the individual does have the right to have that information provided to them upon request.
If the data is going to be used in profiling or for marketing purposes then this needs to be made clear and distinct from any other information provided.
For website owners, make the provision of all the required information available to person on sign up and retrievable in their profile settings or elsewhere on the site. If you are using personal data where a user does not have a login or does not sign up (say for a newsletter subscription that you legitimate have the details for) then you should make the data subjects aware in your next communication with them of the information above or where to find it on your website.
Make sure you are very clear on your website what purposes the data is being used for including for marketing or profiling. Make sure you know exactly what your site does with regard to cookies because it might be storing information that is later used on other sites for marketing purposes!
If you have a legitimate reason for processing personal information then you should provide the mechanism on your website for the data subjects to exercise their rights (such as changing information) on your website and communicate that. If you have personal information that you are processing and have no legitimate reason to do so then pseudonymise the data so it no longer relates to individuals. Likewise, if you provide information for processing by a third party then is it legitimate and absolutely necessary for you to pass on personally identifiable information or will pseudonymised data serve the same purpose sufficiently.
Right of access by the data subject
Under article 15, everyone, at least in the EU, has the right to access all of the personally identifiable information that an entity holds on them. Upon request a controller must provide the purpose of processing, the categories of personal data, the envisaged period of data retention, the supervisory authority contact details and complaints procedure, the source of the data (if not from the data subject), the recipients of data (in particular third-countries and international organisations including the safe guards in place), any automated decision-making including the logic involved and the process to rectify, delete or restrict processing and the right to object to processing.
For website owners you should make as much of this as automated as possible. Give people logins and controls on your website to view their own information. I would suggest that you create an automated procedure that gathers together all of the information in one downloadable PDF for the requester to view online or on their own computer and with a link to a free PDF reader download. Most of the information that you will provide will be the same (or very similar) for every person and you might want to set up a template with that information or already provide a link to it that can be downloaded too from the website (i.e. making it a two part download of general information and personal information). The alternative is to create a request forma and process on the website in which you will need to validate the authenticity of the requester to make sure they are entitled to request it.
Right to rectification
The controller must, without undue delay, correct any inaccurate personal information. When a rectification action is requested by a data subject about their own personal information, the controller will make the changes as soon as is practically possible.
For website owners, providing the tools for a user to do this online will same a lot of your time in the future. If that can’t be accomplished then process needs to be established where a user can request the changes – preferably by completing a form online. Which ever way the request comes in the identity of the requester needs to be established, recorded and authenticated to make sure they are entitled to perform (or request) the action.
Right to erasure (‘right to be forgotten’)
Everyone has the right to be forgotten under article 17. This means that they can request that you delete all information pertaining to their identity.
The controller must delete the data subjects records when one of these conditions arise; the data subject makes a request, the personal data is no longer necessary in relation to the purpose it was collected, it is required as a legal obligation under Union or member state law to which the controller is subject and where the data subject objects to to processing under article 21 and there are no legitimate grounds to keep it.
Where the controller has shared personal information with other parties that it now needs to delete, it must contact those parties and ask for a likewise deletion.
However, if Union or member state law or industry regulation require that data is kept for a certain period or if there is a potential for a future claim then backup copies can be securely kept and used for those purposes albeit not for processing.
For website owners, providing the tools for a user to do this online will save a lot of your time in the future. If that can’t be accomplished then process needs to be established where a user can request the deletion – preferably by completing a form online. Which ever way the request comes in the identity of the requester needs to be established, recorded and authenticated to make sure they are entitled to perform (or request) the action. You should also be aware and have a process (automated or manual) to delete data that is no longer needed, such as people closing their account with you.
If you can keep such data to comply with local regulatory, union or member state laws then you don’t have to delete it but you should not use it for processing and you should inform the requester of the legitimate reason for keeping their data. If you don’t need to keep it but deleting it would cause an excessive amount of work to unravel or have a massively negative impact on your system then you could pseudonymise the data so it no longer relates to the individual. In most cases it is OK to delete as long as you keep a backup copy of the data to satisfy any legal or regulatory future requirement rather than for processing (see my comments in the next section). Any backup should be kept securely, using strong file encryption or storing on encrypted media.
My advice on third-party use, would be not share personal information with any other party unless you really have no choice. If you can get away with pseudonymising the data before sharing, then do so as it will save cascading the request on to other parties in the future.
Right to restriction of processing
An individual has the right to restrict processing of their personal data under article 18 until an investigation proves otherwise, if the data is inaccurate, unlawful or if the data subject has objected but the controller believes there is legitimate grounds to override that objection.
All personal data for the data subject will be placed on hold and not be used in any processing without their explicit consent.
If the restriction is to be lifted after investigation then the data subject must be informed before data processing resumes.
In the case where the controller no longer needs the data but the data subject requires their personal data for the establishment, exercise or defence of any legal claims the data subject has the right to allow the controller restricted processing of their data for this provision.
For website owners, you need to allow for a user to object to processing which is covered in the next section or for challenges on the processing of data to be unlawful or inaccurate. During such a period you not allowed to process the data. If you know that your data is lawful then you can probably prepare a response and resume processing. In the case where it has been reported as inaccurate, you can either correct it and continue processing or exclude the inaccurate records from processing. If someone objects to processing their personal data and you believe that you have a right to continue to process it, you will have to exclude their data whilst you challenge that.
A mechanism needs to be put in place where an individuals records can be temporarily (or permanently) excluded from processing.
One of the main principles of the GDPR is that you only keep data for as long as you need it and so it makes sense to delete records that you no longer need. However, if the data subject has a right to ask you to provide them with with their personal data by granting you permission under the restriction of processing in article 18 1(c) for legal purposes that means you will have to keep it just in case this right is exercised rather than delete it. To me, that goes against the principle of only keeping data that you need to process. Of course, if you no longer need the data you could mark it as not for processing rather than delete it, but what if you no longer perform that service and want to delete all records and your system. In this case, you can either keep a backup as mentioned previously and delete the database. If for an individual you could have a process to dump that individuals data into a report before deletion as you would do if their requested their personal information, again stored securely. It’s a tricky one and my understanding of this right might not be correct.
Right to object
Under article 21, a data subject can object to processing where their personal data is being processed in the public interest, the controller believes they have a legitimate right to process it (unless the controller is a public authority) or the data is being used in profiling or for marketing purposes.
If the data subject objects and one or more of the conditions above apply then a restriction of processing needs to be in place until an investigation has resolved the issue one way or the other.
As mentioned in the transparency section, the right to object together with other rights needs to be informed to data subject. All rights need to be clear and set apart from other text.
For website owners, my advice is that unless you really believe that doing so will harm your business/service then if someone objects to their data being used in processing then remove it. If you are going to question the request then you need a mechanism in place where an individuals records can be temporarily (or permanently) excluded from processing.
Automated individual decision-making including profiling
The data subject has the right not to be a subject of automated decision-making or profiling unless they explicitly consented, is required as part of a contract between data subject and controller or it is authorised by Union or member state law which the controller is subject.
If the data subject consented or if the law says that automated individual decision-making including profiling is authorised then the data subject needs to be made aware of their right to have human intervention on behalf of the controller to contest the decision or profile.
The data subject always has the right not to be a subject of automated decision-making based on special categories of information (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or bio-metric where it uniquely identifies someone, health or sexual orientation).
For website owners using automated-decision making or profiling then this needs to be made clear as per the transparency section and so does the right to refuse to be included. A process for anyone exercising that right needs to be established.
Right to data portability
If the data being held for processing of an individual by the controller is carried out by automated means and is based on consent or a contract then the data subject can request that the controller transfer their data electronically. The transfer can be to the individual for them to transfer to another provider for processing or by way of a direct transfer to another controller if that is technically possible. The data not being transferred directly must be provided in a structured, commonly used ad machine-readable format. Any transfer must be done without hindrance of the controller and as soon as it is feasible.
For website owners operating in industries where there is already a data transfer standard available you will need to make sure that you have a process (preferably automated) where a user can electronically transfer their data to another controller for processing. If there is no industry standard method or if the recipient controller cannot accept incoming data transfers automatically (which I think would probably apply in a lot of cases because of the security risk) then it will need to go via the data subject. A tab or comma delimited text file with rows of data separated by data field columns and a key to what each field means would probably be best.
Any transfer should be protected such as transferring over a secure protocol or sending an encrypted file (with a phone call to the requester to let them know the password/key to unlock it).
Notification obligation regarding rectification or erasure of personal data or restriction of processing
Under article 19, any corrections, deletions or restrictions of processing in place must be passed on to the recipients of personal data such as third-parties.
For website owners that engage or share data or processing tasks then as part of that process you need to make sure they are kept up to date with anything that the data subject has requested you to do if it will affect them too. This includes putting a restriction on data whilst a right to object is being challenged. Basically, whatever applies to you as a controller also applies to the controllers or processors that you share information with unless of course, that data has been pseudonymised for those providers (as they won’t be able to trace it to an individual to correct, erase or restrict it).
Communication
There are several mentions of communications but mostly they are around communicating when something changes or to let people know their rights.
For website owners, I would recommend communicating with everyone that you have personal data on and have an email address for as soon as is practical, on or after May 25, 2018. I would include details of where to find the information on your website about their rights and the processes used and if it is applicable what to do if they have forgotten their login details. This can be in a newsletter but it is probably best to do it as a blanket communication as not all of your users might be subscribed to your newsletter.
Another thing I would do is make sure that I delete before May 25, 2018 any data that I no longer need for processing and don’t need to keep for legal/regulatory reasons.
Further actions
I haven’t covered governance in this article but here are a few things that I would suggest that you do as a data controller of personal information. Some are for good governance but others as steps to getting prepared for May 25, 2018.
- Arrange an audit to document what personal data is held, where it came from and who it is shared with. Do you or any third-parties need this personal information? Could you or they get by using pseudonymised data? If so, make those changes. Consider having a Data Protection Impact Assessment to see if you fall down on any areas.
- Identify and document all of the ways and reasons for processing personal data. Are those reasons justified, fair and legal? If not, you should take action to stop that process or get legal advice on the appropriate basis for processing data, which may help to validate your reason for processing.
- Look at your current processes and procedures, does anything need to change for the GDPR or could anything be automated? If so, make those changes? Also, make sure you have all of your processes documented.
- Review the wording of your website/application to make sure the terms and conditions reflect the new rights of the individual, that they are easy to understand and stand out clearly from any other wording.
- Look at the sign up process and if consent is required (i.e. the data hasn’t come from another source for you to process), make sure it is clear to the individual what you will use this data for and provide for a clear affirmative consent action. Are children allowed to sign up? If so, consent will need to come from the holder of parental responsibility.
- Do you have sufficient security measures in place to protect the personal information either as a controller or processor from unauthorised or unlawful access? If not, look into this.
- Review the procedure for detecting, reporting and investigating a data breach of personal information. If you discover a data breach you must report it within 72 hours, do you know which supervisory authority to report it to?
- Make sure all of your staff are kept informed. Set up a training session on the GDPR and your processes. Follow this up annually or sooner with refresher training.
- If you are an international organisation adequate safeguards must be provided for storage and processing outside of the EU in the same way as in within it. Consider where you are operating in the EU and where your data controller (the person or people that make decisions about the processing of personal data) is based and the lead supervisory authority that you will need to contact. Also consider whether you need a Data Protection Officer appointed in the EU.
As always, if you are unsure about anything, don’t rely my opinion or the opinions of others, seek legal advice.
Useful information
I’ve added this section on January 22, 2018.
If you are a data controller or processor in the UK or an international organisation that operates in the UK then you can get updates from this link, what’s new, on the Information Commissioner Office.
Also from the ICO are 12 steps to take now and online self-assessment checklists for controllers and processors.