Data Protection (internal) Audit prior to May (In preparation for that date)

Transcription

1 Data Protection (internal) Audit prior to May (In preparation for that date) For employers without a dedicated data protection or compliance function, a Data Protection Audit can seem like an overwhelming challenge. But, it doesn't have to be. Top tips are as follows: What does a Data Protection (internal) Audit look like? An audit can take many forms.from a 'desk top' paper based review of current policies, procedures and contracts to. a full review of how the organisation, as a whole, processes personal data, following the complex flow of data throughout its life from inception through to destruction. The scope of the audit is likely to depend on the employer's size and resources and current level of compliance. A full Data Protection (internal) Audit should give an employer full visibility of data protection compliance across its entire organisation and result in clear action points to enable it to address any non-compliant areas ahead of May For regionally diversified businesses, it is critical that there is collaboration between each of the different EU group entities and those entities operating outside the Union that offer goods or services, for example to prospective customers in the EU or that monitor their behaviour, (which may apply to data generated through the operation of an international loyalty scheme) (see Art 3, Territorial Scope p8). Step 1 How do you go about planning a Data Protection (internal) Audit? Assembling the team Implementation of a GDPR compliance programme requires a substantial investment of money, organisational resources and management time. It is vital to identify key stakeholders and ensure that the organisation has board or senior management buy-in to support the project. Buy in from stakeholders is key, so that there can be a co-ordinated approach and suitable time and resources allocated to the Data Protection Audit. Employers should first determine whether or not a Data Protection Officer (DPO) must be appointed under Article 37 (page 25). Even if the organisation is not required to appoint a DPO, it should assign an individual the responsibility for compliance with data protection legislation. The data protection lead will then need to bring together a team from within the organisation with the necessary skills and expertise. Legal, HR, IT, and compliance teams will need to take an integrated approach. Technical and/or specialist support may be required to understand where the organisation currently holds personal data, and whether or not current systems are capable of operating within the parameters required to comply with the GDPR. Establish who will take ownership of data protection and privacy compliance within your organisation and you must establish reporting lines directly to the Board. Management buy-in is also important from the perspective of approval and allocation of budget for the different resources needed. This should, in particular, cover internal personnel, legal support and IT costs (for example for IT audits or changes to supporting systems or software). After the team is in place, they will need to work with each business area to identify the specific privacy risks that the organisation is exposed to and how these can be mitigated or avoided.

2 The information will then need to be reviewed and verified with relevant departments before it is analysed and a full report produced; providing the organisation s action plan. The starting point for any GDPR compliance project is therefore an understanding of the "what, why, how and where" of current personal data processing by each organisation, and where appropriate by department or business line within the organisation. You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have, and to identify areas that could cause compliance problems. *What personal data is held and used, (and is it sensitive personal data, Article 9, p.14) *Why the organisation needs and uses it (which may not necessarily be the same thing), a Data Privacy Impact Assessment (page 28 ) can help you to answer this question; *How the personal data is processed and shared, *Where it is stored and * From where it is accessed. *How you regulate all this effectively within the business (ie proper record keeping, training, guidance, audit processes). *whether you are creating derived or inferred data about people, for example by profiling them; and *whether you will be likely to do other things with it in the future this can be particularly important if you are undertaking large scale analysis of data, as in big data analytics. When explained in sufficiently broad terms a Privacy Notice can allow for development in the way you use personal data, whilst still providing individuals with enough detail for them to understand what you will do with their information. However, you should not draw up a long list of possible future uses if, in reality, you do not intend to process personal data for those purposes. b). You don't have a compliance or in-house legal team, what do you do? If you are a smaller employer with limited support departments, data protection usually falls to the HR function. In many cases, starting with an internal data protection audit of HR can be a useful approach as it is often the department which processes and stores the most personal and sensitive personal data (such as name, personal details, heath, disciplinaries, grievances and sickness records) and therefore for many employers carries the highest risk.

3 Step 2: Gap Analysis In order to understand what actions must be taken, it is important to first do a Gap Analysis of your current data protection compliance baseline and find the Gap of how this compares against the obligations flowing down from the GDPR. It may also mean identifying current compliance failings and ensuring these are mopped-up as part of the wider points for action from the project. The systems and procedures that employers use and any new technology or software introduced after the GDPR is in force must only process personal data to the extent that it is necessary for the purpose for which it was collected in the first place. This identifies and prioritises the Gaps between where the organisation is now, and where it needs to be, by reviewing existing data practices against GDPR requirements. Step 3: Risk Analysis The Gap Analysis is likely to identify a large number of issues and actions, not all of which may reasonably be capable of being met at the same time, ahead of May With this in mind, healthcare providers, solicitors, accountants, tax advisers and IFA s, hotels and hospitality, should, as a priority, establish which of its data processing activities pose the highest risk for the business and for data subjects and which risks are most likely to engage the high fines under the GDPR and allocate resources on that basis. The riskier the processing activities, then the greater the efforts that should be taken. Step 4. Establishing a GDPR compliance action plan Once your organisation has completed an initial internal Audit and Risk Assessment, the next step is to create an action plan and timeline for establishing a GDPR compliance programme. This should include the following steps: Prioritise compliance activity and remedial measures, based on areas with the highest risk; Create a data register to meet GDPR recordkeeping requirements; Review systems and processes. Can the organisation s IT systems and processes cope technically with the expanded individual rights? *Review employment contracts. Create and/or review Privacy Policies and Procedures with clear and practical guidance on GDPR compliance; Review and update current Privacy Notices and templates; Integrate Privacy by Design and Privacy by Default. Collect the minimum amount of information and consider Privacy from the outset of each project that involves personal data; Prepare for data breach notifications. Develop a data breach response programme for prompt notification and investigation. Provide training on data protection policies and procedures, and specific training for individuals who process data; Review staffing requirements for ongoing data protection compliance Implement regular audits against defined metrics (eg number of privacy complaints, completion of training, data breaches suffered) to assess the ongoing success of the compliance programme.

4 This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Will your systems help you to locate and delete the data? Who will make the decisions about deletion? Step 5: Implementation of a data protection framework 5.1 Understanding key requirements The range of new requirements under the GDPR mean it is important that these are specifically mapped and specific controls and measures implemented to address these new obligations. These include: a) Enhanced data subject rights *stronger rights to receive information or, for example, to get access to (Art 15), correct (Art 16), delete / right to be forgotten (Art 17), restrict (Art 18) or object to (Art 21) processing, * rights to be told of rectification or erasure (Art 19) *rights to data portability, (Article 20 ) *right not to be subject to a decision based only on automatic processing (Article 22) *higher requirements for legitimate processing, including for transparency and valid consent declarations. b) Enhanced employee rights The GDPR significantly enhances the rights of data subjects, which will in turn, present greater compliance obligations for employers. Areas which face significant change include: i) *the information to be provided to data subjects, recital 63 in response to a Subject Access Request ii)*the GDPR mandates a more detailed set of information be provided to a data subject, particularly in relation to the purpose and means by which personal data is processed. iii)*data rectification rights (in circumstances in which data held about a data subject is inaccurate or incomplete (Article 16 ) - in some respects rectification rights remain unchanged under the GDPR. However, data controllers will now face a mandatory obligation (Art 19) to notify other third parties if data is amended in response to a Subject Access Request. Employers should consider how they might implement procedures to action this obligation. iv) *the right to be forgotten (Article 17 ) - this new right presents a potentially significant practical challenge for employers, particularly where employees personal data is backed-up in somewhat inaccessible or complex systems. Employers will need a system for ensuring data held, including as part of these systems, is accurate and up to date and not kept for longer than is necessary. v) Similar to rectification rights, a data subject's right to have their personal data deleted on request (Article 16) should prompt all employers to consider how this would be practically achieved. vi) Right (Article 21) to object to data processing under Article 6(i) (e) or (f) (p 41 ) (public authorities or Legitimate Interests)

5 5.2 Strengthened organisational requirements The GDPR is more prescriptive around the compliance controls that must be in place including: Data processing registers a register containing a record of the processing under the company s responsibility must, in most cases, be maintained. Data Protection Impact Assessments (Article 35 p.29) where processing is likely to result in a high risk to the rights and freedoms of natural persons, a data controller shall, prior to the processing, be required to carry out a formal assessment of the impact of the proposed processing operations. In cases where this assessment indicates that the processing would result in a high risk in the absence of measures to mitigate the risk, the supervisory authority must be consulted. Appointing a Data Protection Officer (DPO) (Article 37 p.25) this may be required where the core activities of the business involved regular and systematic monitoring of data subjects on a large scale or where special i.e. sensitive, categories of data are involved. In reviewing your procedures to ensure that these cover all the data rights of your employees, you will need to review the capability of your systems to allow you to meet your obligations, for example: *how easily will you be able to locate and delete data when asked for personal data to be deleted; *in meeting a request for data portability, can you provide the data in a structured, commonly used and in a machine-readable form? Privacy by Design and by Default (Article 25 p 26) ensuring that organisational and technical measures, ensure data protection principles are met both when determining how data will be processed and when conducting the processing itself, (such as data minimisation, and purpose limitation). These measures may also include security, pseudonymisation or other privacy-enhancing features. Subject Access Requests (recital (63) ). You should update your procedures and plan how you will handle requests to take account of the new rules: In most cases you will not be able to charge for complying with a request. You will have a month to comply, rather than the current 40 days. You can refuse or charge for requests that are manifestly unfounded or excessive. If you refuse a request, you must tell the individual why, and say that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month. If your organisation handles a large number of Subject Access Requests, consider the logistical implications of having to deal with requests more quickly. You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online. Your policy should detail the employer's process for dealing with data Subject Access Requests and training for those who will dealing with them Employers should take note of the additional information which must be provided and new requisite timeframe for responding to data Subject Access Requests under the GDPR, i.e. 'without undue delay' and within one month (or three months in cases which can be shown to be particularly

6 complex), and set out a clear process which will assist it to comply with this requirement. Any template Subject Access Request acknowledgement and response letters will need to be updated accordingly. Security measures (Art 25) Appropriate and reasonable state of the art technical and organisational security measures must be implemented in order to protect personal data processing. You should put procedures in place to effectively detect, report and investigate a personal data breach. You will need to assess the types of personal data you hold and document the cases where you would be required to notify the ICO or affected individuals if a breach occurred. Larger organisations will need to develop policies and procedures for managing data breaches. The standard required for security by the GDPR has not changed from that in the current Data Protection Act However, controllers must obtain "sufficient guarantees" from their processors that the processor is capable of complying with the GDPR (Art 25 Privacy by Design p 25). *Breach notification ( Article 33 p.29) in the case of data breaches, these must be reported to the supervisory authority within 72 hours after becoming aware of the breach, in cases where these involve risks to the rights and freedoms of data subjects. Re High Risks for data subjects, the subject will generally also have to be informed of the breach. Set up a System for detecting and dealing with data breaches. The policy should set out clear guidelines on what amounts to a data breach, and a procedure to detect, report and investigate any breach, as well as guidelines for appropriate record keeping. 5.3 How long will the Audit take? Even a desk-top Data Protection ( internal ) Audit of a small company with CCTV, employees, customer data base and a third party payroll provider will take a reasonable amount of time to do effectively. Timescales should not be underestimated. With only till May 2018 to go, starting sooner rather than later, is advisable. And you need implementation time. Euan MF Temple c/o Euan Temple Business Consultancy Ltd 8 Main Road, Radcliffe-on Trent, Nottingham NG12 2FH