Our quick guide to GDPR:
One of the biggest headaches with GDPR is understanding its structure and translating that into a workable plan. It’s an extremely complex piece of legislation because each clause of it relates to other clauses and notes, so it can be challenging to work through it sequentially in order to understand what you need to do.
This is especially important for those companies that think that to Opt in or not to Opt in is the be all and end all of the regulation, because it’s not. What’s important to understand is that the biggest change is actually the enforcement of the regulation – so expect to see a lot more information promoting GDPR to consumers and businesses alike, because the ICO will have stronger enforcement capabilities from May 2018.
Also, for B2B organisations, it’s also important to recognise that if an individual can be identified by their work email address, that counts as personal data. Which makes it even less straightforward.
In the meantime, I’ve put together a short guide to help you navigate the regulation to make life easier for you.
1. 12 Steps
The ICO have issued a handy guide which covers the primary principles of the legislation, which you can access here. Technically they are not “12 steps” in the sequential sense, but more “12 areas you should be looking at to make sure you don’t miss anything out” (OK, so it’s less catchy). This guide is most useful in terms of making sure you have a checklist of areas to look at within your organisation.
2. Guiding principles
The next layer to consider are the key principles of the GDPR that you need to “sense” check your data processing as it currently stands.
- Lawfulness and Transparency
- Personal data shall be processed lawfully and in a transparent manner in relation to the data subject
- Purpose Limitation
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Data Minimisation
- Personal Data shall be adequate, relevant and limited to what is necessary and kept up to date
- Personal data shall be accurate, and where necessary, kept up to date
- Storage Limitation
- Personal Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processes
- Integrity and Confidentiality
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- The controller shall be responsible for, and be able to demonstrate compliance with the GDPR
The last one is crucial, because this Accountability principle is reinforcing my point above, enforcement is about to take a turn towards the more serious, as companies will be held more accountable, and in a more specific nature, than before.
Obviously there is a lot more information and compliance required behind each of these points, which is why you need to look at them in conjunction with the 12 steps, and the 6 principles of lawful data processing shown below:
3. Principles of lawful data processing
In order to ensure you become and remain compliant, you need to ensure that you meet the conditions for processing data, which is not just based on consent. Some of them won’t apply to your organisation as they relate more to public authorities or emergency services, and some of them are overridden by restrictions in other regulations such as PECR (the so-called Cookie law). So this requires a thorough review:
- Consent of the data subject
- Contractural requirements
- Compliance with a legal obligation
- To protect vital interests of another person
- For the public interest or in the exercise of official authority
- For the purposes of legitimate interests, except where overridden by the interests, rights or freedoms of the data subject
Direct Marketing is listed as a legitimate interest, which is good, but it does have limits and is overridden in some areas by PECR.
If you process special categories of data, then you have an additional list of conditions to comply with.
It’s no surprise that it’s complex, as data has grown exponentially, alongside the technological capabilities, it’s a big topic.
Hopefully you’ve found this quick guide to GDPR helpful, if you need help with templates, workflows, processes and people then we provide services and content that can get you compliant more quickly than doing it yourself.