10 Key EU & UK GDPR Compliance Best Practices

10 THINGS YOU CAN DO TO COMPLY WITH THE NEW EU GENERAL DATA PROTECTION REGULATION (GDPR) AND UK DATA PROTECTION ACT (DPA)

1. DEVELOP A ROBUST DPA & GDPR COMPLIANCE COMMUNICATIONS & ENGAGEMENT STRATEGY

Be as transparent as possible. All processing must be within people’s reasonable expectations, in order for it to be lawful. The more that you do to ensure that people are well-informed, and provided with realistic choices, the more that it can be said that what you are doing is within people’s reasonable expectations. Let people know the risks of processing, as well as, the rewards.

Provide clear explanations. You must specify all intended uses of personal data (including future intended uses). Consider using your data flow map/(s) (see point 6 below) to help you to provide people with clear visual explanations, about what you do with their data. Make sure that you keep your data flow maps up-to-date.

Use your website, social media, application’s, and traditional communications channels to keep people informed about the way that you process their data. You can potentially use the same platforms to enable people to provide you with feedback, and to also make decisions (eg to opt-in to or out of general or specific data processing initiatives).

Think broadly and creatively in terms of how you can most effectively engage with the people whose data you control and/or process. Think about workshops, seminars, and drop-in sessions, public and online surveys, developing videos and/or animations, and utilising local or national radio and television channels. Remember to always take equalities and diversity into consideration (e.g. is the information accessible in different formats and languages), and to also think about ways of engaging groups and individuals that may be marginalised.

Keep it proportionate. As a general rule, the more sensitive and voluminous the data, and/or the more innovative that what you are trying to achieve is, the more you will have to do to inform and engage.

Remember that your duty to keep people informed is an on-going one. Ensure that you keep people informed of all relevant changes that either impact, or have the potential to impact their right to privacy. Don’t just stick a privacy notice up and think the job is done!

2. PROVIDE PEOPLE WITH GRANULAR AND REALISTIC DPA & GDPR CONSENT CHOICES

People must be given the opportunity to provide you with explicit and unambiguous indications about the way that they wish for their data to be handled. Since everybody has a different view of how they would like their confidential and sensitive data to be handled, to ensure compliance with the GDPR, you must design your systems, processes and technologies in a manner which enables each individual’s informed decisions to be respected, by default and by design.

Answering the following three basic questions, will help you to ensure that the choices your offer are both realistic and compliant:

What choices are aligned with your strategic objectives?
What choices will it be technically possible to securely deliver?
What choices are within the reasonable expectations of your end-users (i.e. what was the feedback from user engagement)?

3. RECORD DPA & GDPR CONSENT DECISIONS CENTRALLY AND ELECTRONICALLY

Recording consent decisions centrally and electronically, in a manner which enables consent decisions to flow downstream into all relevant systems and processes, is a challenging (depending on the scale of what you need to achieve and your organisations digital maturity level), yet worthwhile task.

Doing this will help you to ensure that access to confidential and sensitive data is intuitively restricted, on a need to know basis, and readily accessible – if necessary, in real-time. Being able to rapidly ascertain whom, has consented to what, makes delivering compliant products and services, all the more easy.

For example it will make it easier to determine which of your end-users has consented to their data being shared with third parties, or used for commercial and/or research purposes. It will also make it easier to delete data if end-users later decide to opt-out.

GDPR makes it mandatory for public authorities, and all organisations that routinely and systematically conduct activities which involve the handling of confidential and sensitive data, on a large scale, to appoint a Data Protection Officer (DPO). If you fall into either of these categories, and if you have not already done so, now is the time to appoint and, if necessary, train a DPO.

Even if you do not fall into these categories – there is much work to be done in order to ensure that your organisation will comply with the GDPR when it comes into force. Having a DPO with expert knowledge of data protection law and practice will make the task of compliance much easier.
This does not necessarily mean that you will have to hire a new member of staff. You may have an existing staff member with sufficient expertise and capacity to take on the role. It is also permissible to obtain advice and support from independent experts, if desirable, or necessary.

A good DPO should be as proactive about designing ways to enable data be used in a compliant manner, as they are about identifying and mitigating privacy and data protection risks. Look out for someone that is as pragmatic about solving problems, as they are knowledgeable about privacy and data protection law. DPOs should actively participate in online and offline networks and forums. Helping them to learn lessons from others, and build a network of people to share ideas, templates, and possibly even costs with.

Need an external DPO Service Provider (DPOaaS)?

The GDPR allows you to contract external DPO Services Provider – Data Protection Officer Services (DPOaas). Enabling you to hire highly experienced and qualified DPOs from DPO Service providers like IG-Smart Ltd, to enable you to ensure your organisations maintains robust GDPR compliance frameworks, strategies, policies, and standard operating procedures.

5. DEVELOP A DPA & GDPR COMPLIANCE RISK MANAGEMENT FRAMEWORK 

A well designed DPA and GDPR Compliance Risk Management Framework can help your organisation to ensure that all privacy and data protection risks are pro-actively mitigated, and aligned with your overarching corporate risks, and risk appetite.

HIGH-LEVEL DPA & GDPR COMPLIANCE FRAMEWORK OVERVIEW

• Systems, processes and technologies are designed with privacy embedded by default. Helping you to ensure that all access to confidential and sensitive data is secure and legitimately accessed.
• People and third parties that process personal data on your behalf are appropriately vetted, trained, and bound by contracts which impose standards considered equal to or greater than the privacy and data protection laws of the countries whose citizens data you process.
• Information Asset Registers are used to ensure that all confidential and sensitive data are appropriately managed, accurate, classified, protectively marked, resilient, secure at rest, up-to-date, accessed on a strict need to know basis, not kept for longer than necessary and confidentially destroyed when no longer required.
• Data Flow Maps are used to ensure that all confidential and sensitive data are lawfully disclosed and secure in transit.
• Records of Processing Activity (ROPAs) are used to record, measure, mitigate, monitor and report privacy and data protection risks (and breaches – in the unfortunate, but increasingly likely event that they will happen). In the event of a data breach, a robust ROPA can provide clear evidence that you did all that it is was reasonably practicable to do, in the circumstances, in order to identify and mitigate privacy and data protection risks.
• Automated monitoring and routine auditing enable you to identify risks and rapidly respond to threats.

6. KNOW WHAT DATA GOES WHERE, AND UNDERSTAND THE GDPR COMPLIANCE RISKS

Mapping all of your organisations in-bound, internal and out-bound flows of confidential and sensitive data, will help you to ensure that all flows are lawful and secure. Providing you with an up-to-date picture of what data goes where, how it gets there, whom accesses it, and for what purpose. Enabling you to identify actual and potential privacy and data protection risks (which should, in turn, be recorded in the IRR). It is important to note that GDPR imposes an obligation on data controllers to ensure that data processors, sub-processors, and even sub-sub process have GDPR compliant controls in place.
Data Protection & Privacy risks include:

• Unauthorised disclosures and accidental losses
• Inadequate organisational and technological security controls
• Failing to put GDPR compliant staff and supplier contracts in place
• Outsourcing to non-compliant third parties
• Inadequate training and guidance to help those that handle data understand and comply with their responsibilities

7. PROVIDE ALL STAFF WITH ENGAGING & CONTEXTUALISED DPA & GDPR TRAINING

A lack of, and/or inadequate training is unquestionably one of the major root causes of privacy and data protection breaches. Providing those that handle data within your organisation with succinct, engaging and up-to-date training can therefore, be one of the most effective and efficient ways of reducing privacy risks. Training should be supported by clear, concise and accessible guidance materials, which are designed to help those that handle data to understand and confidently discharge their responsibilities.

Try to tailor your training to suit the things that your organisations does with data, and the roles and responsibilities of the people that handle data on your behalf. This will help those undergoing training to put things into context, and hopefully help to engage them in what is sometimes perceived as being a dull subject. If your staff are particularly difficult to engage, you may have to throw in videos, games, animation’s and even finger puppets!

8. ENSURE ALL CONTRACTS ARE DPA & GDPR COMPLIANT

Review the contracts which are in place with any third parties that process confidential and/or sensitive data on your behalf, and check that they have clauses in them which impose conditions on the third party (and any sub-processors, and sub-sub-processors) that are either equal to, or greater than those imposed by the GDPR). This can be a challenging task, particularly for complex and large organisations, as there are lots of legalities to take into consideration.

9. CHECK PARTNER AND SUPPLIER DPA & GDPR COMPLIANCE CREDENTIALS

Do those that process data on your behalf have adequate controls in place to protect privacy? It is one thing having a robust contract in place, it is another to ensure that contractual obligations are being met. Ensure that those that process data on your behalf follow international best practice. One way that can help you to do this is to ensure that they maintain compliance with standards such as ISO 27001, by routinely requesting evidence of independent certification. However, the more complex the data processing arrangement, or the more sensitive and/or voluminous the data, the more controls that may need to be in place and routinely monitored.

10. CONDUCT DATA PROTECTION IMPACT ASSESSMENT’S (DPIAS)

DPIAs are now mandatory for all processing that is likely to have a significant risk on the privacy, quality or security of personal data. DPIAs can help you to identify actual and potential privacy and data protection risks, and to measure the impact that they may have. DPIAs should, as a minimum, be used whenever you are doing something that is likely to have a significant impact on privacy. This may for example include; joint ventures, mergers and acquisitions, takeovers, implementing new technologies, sharing data with partners, and using personal data for previously unspecified purposes. Knowing what risks you face and the actual or potential impact they may have, is key to knowing how to best mitigate risks.

Is your organisation struggling with GDPR compliance?

All organisations that process data belonging to EU citizens (whether they are your customers or not – for example you may wittingly or unwittingly collect personal data through your website) must be compliant with the GDPR. All organisations that process data belonging to UK citizens must also comply with the UK Data Protection Act 2018 (DPA), and common law duty of confidentiality.

Many organisations are still struggling to fully implement DPA and GDPR compliance within their organisation – even though the GDPR came into force on the 25th May 2018 – more than three years ago! Whilst it is worrying that some organisations are still exposed to significant GDPR compliance risks owing to their failure to effectively implement robust GDPR compliance policies, processes, systems, technologies, etc., – it is not surprising, given just how challenging GDPR compliance can be for organisations that process significant volumes of personal and sensitive data in complex ways. Especially when any processing activities are considered high risk from a data privacy and GDPR compliance perspective.

For global enterprises, the challenges that can be associated with DPA and GDPR compliance can be even greater, with significant risks that are often associated with complex supply chain management/third party data processor due diligence burdens and compliance and cyber security risks, technological systems (which are sometimes disparate, manifold, and legacy and present their own challenges), and internal and external cross-border processing activities that require robust additional safeguards.

It does not stop there. Global enterprises may also have to contend with a whole raft of complex international, national, and state level data privacy and data protection laws, including:

Why not get help from experienced GDPR Consultants?

IG Smart Ltd’s GDPR Consultants have delivered some of the largest and most complex, as well as basic, GDPR Compliance implementation programmes, including:

• Nectar: GDPR Compliance Implementation Programme for The largest UK consumer database.
• AIMIA ILS: GDPR Compliance Implementation Programme for a Global consumer database of 100 million consumer records.
• Glenmark Global Pharmaceuticals: GDPR Gap Analysis, Improvement Plan, & outsourced DPO Services for Global Pharmaceutical company.
• Banham Security: GDPR Compliance Gap Analysis, Improvement Plan, & outsourced DPO Services for Banham – inventors of the automatic locking door.
• Paul UK: GDPR Gap Analysis & Data Protection Officer as a Service (DPOaaS) for Paul UK the UK branch of Paul’s global chain of French bakeries/café restaurants, first established in 1889
• accuRx: Data Protection Officer Services and GDPR NHS & DSP Toolkit advisory for UK leading healthcare technology and COVID-19 vaccination software company, used by 98% of UK GP practices.
• Jigsaw Technology Ltd: ISO 27001 Certification, DPO Services, & Virtual Chief Information Security Officer (VCISO) Services for Jigsaw – leading global Legal Technology and Diagramming solutions providers.
• Advanced Solutions: Cyber Essentials Certification, GDPR NHS, & DSP Toolkit Compliance for Advanced Solutions Community Interest Company – provider of counselling and advisory services to families with children across the Autism spectrum.

We are here to share lessons learned, and to help you implement pragmatic controls to ensure compliance with GDPR.