While every organisation is different, we believe the following guidance will help you understand what GDPR is and how you can start to comply.

Transcription

1 Introduction While every organisation is different, we believe the following guidance will help you understand what GDPR is and how you can start to comply. This guidance is split into two main parts Part 1: Focuses on the requirements of GDPR Part 2: Focuses on how you can start to comply Disclaimer This guidance does not constitute binding legal advice. The guidance is provided by Sam Glynn of Code in Motion in good faith but without warranty of any kind. Every organisation is different. You should seek compliance or legal advice for your specific circumstances. Plain English has been used wherever possible. This makes the guidance easier to understand and shorter in length. However, it may lack the accuracy that legal language could provide. 1

2 1 Part 1: What is GDPR? Before you can comply, you must understand what compliance actually means. The following is a high-level description of some of GDPR s key requirements It is not a comprehensive or detailed guide. 1.1 When does GDPR apply? What data? GDPR applies to personal data. Personal data is any data you have about an individual (e.g. customer; prospect; employee; contractor, supplier), if you can identify the individual or could take steps to identify them What people? If your organisation is established in Europe, GDPR applies to the personal data that is accessible to you about any individual What activities? GDPR applies to all processing of personal data. Processing is doing anything with the data e.g. storing it, viewing it, deleting it, sharing it. 2

3 1.2 What does GDPR compliance look like? As noted at the start of this guidance, the following is a high-level summary and focuses on some of the key elements involved in GDPR compliance. It skips a lot of the key details that you need to understand before you can be sure you comply Step 1: You must have a lawful basis You must have a lawful basis for any processing you perform on personal data. For example, a lawful basis could be: 1. Consent You told the individual about what you were planning to do and the individual freely gave you their consent. Discussing what constitutes valid consent under GDPR is an essay in itself. It must be freely given, fully informed, very specific and unambiguous. 2. Contract The processing is absolutely necessary for the performance of a contract that you have with the individual (e.g. Processing a customer s home address to ensure everyone involved in delivering the service knows where to go). 3. Legal obligation The processing is absolutely necessary for you to comply with a legal obligation (e.g. Processing an employee s PPS number so you can collect PAYE tax on behalf of the Revenue Commissioners.) 4. Legitimate interest You believe it is in your legitimate interest to do this processing, and you have confirmed this legitimate interest is not overridden by the rights and freedoms of the individual. For example, using CCTV to protect your premises. 3

4 1.2.2 Step 2: You must comply with the principles Assuming your processing activity is lawful, you need to comply with the principles of data protection while you process personal data. For example, your processing must be: 1. Transparent You must tell people about what you will do with their data. Many organisations provide this transparency by publishing a Privacy Notice on their website and/or including such a notice as part of a customer / employee sign-up pack. 2. Necessary, proportionate and fair Your processing must be absolutely necessary and proportionate. You must be sure that you couldn t achieve your objective in a less intrusive way. For example, using CCTV to identify that an employee is constantly late for work would usually be regarded as excessive. There may be less intrusive ways to achieve your objective e.g. Ask a manager to do their job. 3. Minimum You should process the minimum amount of personal data, about the minimum number of people, keep the data for the minimum amount of time required, and restrict access to the data to the minimum number of staff and 3 rd parties. For example: If you interviewed someone for a job 5 years ago but didn t employ them, why would you still have their CV? 4. Accurate While you have personal data, you must take all reasonable steps to keep it accurate. 5. Secure You must keep the data secure. a. Technology You must have appropriate technology in place to reduce the risk of personal data being accessed by an unauthorised individual. 4

5 Encrypting all laptops, mobile phones, and backups is likely to be regarded an appropriate measure for any business. This includes taking steps to ensure personal data of customers is not accessible when a staff member who had access to their business account loses their phone in a pub. b. Staff Security is not just about IT. Staff are the weakest link in your security. You must take steps to train them so they know how to protect personal data, they know what they can do and what they can t do. c. 3 rd parties If you outsource some of your activities to a 3 rd party, you are still responsible for ensuring they protect all personal data that you disclose to them. You carry all of the financial risk if they do not comply with GDPR. You need to have some sort of binding agreement in place that obliges them to comply with GDPR and ensures they bear some of the financial risk if they get it wrong. This includes your IT support providers, your provider (e.g. Microsoft if you use Office 365; Google if you use Gmail / G-Suite), your payroll providers, and delivery companies. d. Transfers of data outside the EEA The personal data cannot be transferred outside of the EEA (EU, plus Norway, Iceland, and Liechtenstein) without appropriate legal protection in place to protect the data. For example, the data is stored on a server located in the US or the data is accessed by an employee or 3 rd party located in India. At the moment, there are a few appropriate legal protection options. For example: model contractual clauses, EU-US Privacy Shield. If you can find a way to keep the data in the EEA, you avoid the headache of having to work all this out. 5

6 1.2.3 Step 3: You must be ready for a personal data breach Even when you know you have a lawful basis for all of your processing activities and you are confident you can comply with all of the principles, things can still go wrong. A staff member will accidently send someone s personal data to the wrong person. A laptop will be lost. A marketing will be sent to people who never gave you consent. Whether accidental or malicious, these are all examples of a personal data breach. GDPR requires that you handle these appropriately. In some cases, you will need to inform the regulator within 72 hours. You may even need to tell the individuals whose personal data was involved. You need to be ready for this. You need to define a breach procedure that you will follow to ensure you can comply. 6

7 1.2.4 Step 4: Be ready to facilitate the rights While you have someone s personal data, they have a number of data protection rights that you must be ready for. When someone exercises a data protection right, you must respond as soon as possible (and usually no longer than 1 month), and you normally can t charge them a fee. Their rights include: 1. Right of access An individual can request a copy of all the personal data you have about them. This includes data about them that are in s between staff members (even potentially-defamatory remarks), data on CRM or ERP systems, or stored in files on your computer network or in a filing cabinet. This right is a major headache for most businesses. It is likely to be the reason why you will actively reduce the amount of data you store about individuals Something that GDPR requires you to do anyway. 2. Right to rectification If the personal data you have about an individual is inaccurate, they have a right to force you to fix the inaccuracy. If you have ever tried to get a bank to change your address, you will understand why this could be a problem for some organisations. 3. Right to object In some circumstances, an individual has the right to object to how you are using their personal data. For example, if you are processing their data on the basis of legitimate interest. When someone objects, you must stop processing their data until you have responded to their objection and confirmed the objection is not valid. 4. Right to erasure or restriction In some circumstances, an individual has the right to tell you to delete their personal data or restrict its use. For example, if you don t have a lawful basis for what you are doing, or you can only do it because they gave you consent and they have now withdrawn their consent. 7

8 It is important to know that this right does not always apply. For example, if you are processing their data as part of a contract or because of a legal obligation. i.e. A customer can t tell you to delete their data in an attempt to escape having to pay you for a service you have provided. You need to be ready for someone exercising one of their rights. You need to define a procedure that you will follow to ensure you can facilitate the request (or explain why you won t facilitate it) within the required timeframe. 8

9 2 Part 2: Where do you start? 2.1 Step 1: Write down what you do with personal data. You can t comply if you don t know what you do. You need to write down what you do with personal data. I don t mean a comprehensive and complete data inventory, or a document worthy of ISO accreditation. I mean open an Excel spreadsheet (or find a blank whiteboard) and start writing down the types of things ( processing activities ) that your organisation does with the personal data of customers, employees and any other groups of individuals (e.g. suppliers, prospects). Even just for 30 minutes, think about: 1. How you get the data [Gather] 2. Where you store it [Store] 3. What you use it for [Process] 4. Who else you give it to [Disclose] 5. How long you keep it and/or when you delete it [Retention] Perhaps you don t think you do anything with personal data. If you employ one person or have one customer, you are wrong. Employees: o You recruit them o You pay them o You review their performance o You maintain a HR file about them. Customers: o You sell to them and they pay you o You call or them o You make notes about them o You do marketing to target them. You can t do these without their personal data. 9

10 2.2 Step 2: Review what you do against the principles, rights and other obligations You ve just documented what you do with personal data (i.e. you now know your processing activities). In part 1, I described some of the key elements of GDPR compliance. You are now ready to consider how your processing activities comply with these key elements of GDPR, so you identify the changes you need to make to comply. This won t be all you need to do, but it will be a fantastic start. 10

11 3 Where can you get more help? Ireland s regulator s website ( and the UK s ICO s website ( are good places to start. Ireland regulator has created a dedicated site to help businesses work out what GDPR means: The ICO s website also has a dedicated GDPR section. There s a lot of very useful information here. If I had to pick just one thing, this 12-step guide (PDF format) is worth a read. 11