New year, new things to think about when it comes to your GDPR compliance preparations. Hopefully your GDPR project is in full swing by now. If it’s not, then you do really need to be getting your skates well and truly on. Do take a look through our November and December preparation blogs for ideas on how to get going. As of January 1, 2018, there were 144 days left until GDPR Day hits, so depending on where you are in the world, and when you’re reading this blog, you’ve got about 100 working days left to go.
Without further ado, here are our recommendations for January:
Enable your entire organization on GDPR compliance
Everyone, really, everyone in your organisation should have some level of GDPR awareness, because it only takes the actions of one unaware person to put you in breach of the regulation (the database under a desk situation, for example). Personal data is everywhere. I’m sat next to two phones and typing at a laptop writing this blog from my house. All of these contain personal data, and many organisations’ employees are in the same boat. Employees who are closest to personal data—such as engineering, marketing, operations, and HR—need the most training. Personal data might well enter your environment through some form of human entry, so ensuring customer services, sales, support et al all understand the fundamentals of GDPR. There is a myriad of online courses available, including certifications, and it may also be wise to include GDPR-related training in your new hire and annual conduct training.
Clean out unnecessary personal data
Article 5 of the GDPR states that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”. Additionally, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…(‘storage limitation’).”
This means you can only process the personal data you actually need (you can read more about adequacy from the ICO), and only keep it for as long as is necessary to perform the tasks for which you need it. With many compliance regulations, paperwork is key: document which types of personal data you have, the categories of personal data they fall into, why you need the personal data, and for how long you retain this data.
A question I hear pretty frequently boils down to “which compliance wins in a fight?” For example, what should you do if GDPR says you should remove personal data you don’t need, but a different compliance requirement says you need to keep records for a specific amount of time (even if you no longer provide a service to the individuals the data belongs to)? Alas, this is a question you’ll need to answer with your legal experts of choice. The ICO has some sage advice on what to do in these circumstances. The TL;DR is that both/all win and it’s really not a competition, even though GDPR has a much bigger maximum fine stick to wield. Your legal counsel can offer advice specific to your circumstances.
If there is no legal, regulatory or valid reason to have specific personal data, it may be time to consider getting rid of it. As an added bonus, you’ll win back some storage too.
Contact data subjects to ensure personal data accuracy
Article 5 also states that personal data must be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).” You’re likely already seeing organizations reaching out to you personally to check data is up to date, as like many things that fall under GDPR this is good business practice. Clarification on accuracy (META!!) is also covered by our friends over at the ICO. Before you stop reading this blog and run off to go sending out emails, in-app messages or even letters on Actual Paper, please carry on reading through the next section as you’ve likely got some further communication to do.
Update consent mechanisms, privacy policies, and legal agreements
Not that I have any major life regrets (well, one small one involving not saying hello to Rod Hull, a British kids’ TV entertainer, in the street once, and a few weeks later he died. I’m still reeling a bit, can you tell? Sorry, I digress, but it was a valuable lesson nonetheless.)…BUT, if I had a Delorean and a flux capacitor, right now would be a good moment to go back in time and retrain as a data privacy lawyer. Seriously, these are busy people right now.
Let’s talk about consent first, as this has been a topic of much debate. Consent needs to be provided for personal data to be processed, and it must be able to be rescinded as easily as it was given. There are additional rules around consent for services provided to children. Working party 29, who are the group responsible for clarifying the GDPR articles, have issued guidelines on transparency, which includes the topic of consent. Many organisations expect to be making changes to contracts and web applications to meet this part of the regulation.
Whether you decide to jointly or separately revisit consent and data accuracy discussions with your customers, prospects, employees, and any other EU data subjects you hold data about is a matter for to discuss with your team and counsel. It might be easier to hit both birds with one stone, especially if you have a lot of data.
If you’re looking for further information on GDPR please do check out our GDPR toolkit.
Watch the GDPR blog tag to keep up as we get closer to GDPR go-time.