GDPR: Our Journey So Far
We started our journey in February 2017 when we embarked on the ISO 27001 process for Information Security Management. We wanted to demonstrate to our clients that we take security seriously, especially when we are handling sensitive information. As you can imagine, as part of our due diligence and employment screening services, we handle personal data on a regular basis in the form of items such as CVs, passports, application forms and university certificates. As part of our ISO accreditation, many processes and procedures we were putting in place also met with the requirements under requirements for protecting personal data according to GDPR.
From our experience, communicating the importance of data protection from senior management to the rest of the team was pivotal. Everyone understood quite quickly why data protection is vital to the success and reputation of our business. Our team recognised what the impact GDPR will likely have on our operations. Conveying this message across early and reinforcing our internal culture regarding data security was our first step to compliance.
Mapping your data
Until you address GDPR, you’ll never be compliant or even working towards compliance. Take some time out with no distractions and list where you think data is stored.
This will help form part of your data mapping. Keep it simple to start with, consider:
• How do you obtain personal information (from the data subject, email, post, website, CCTV etc)
• What information is collected (name/date of birth, passport, utility bills and banking details etc)
• Where do you store the data (PCs, tablets, printers, mobile devices, cloud-based technology)
• Who has access and whether any third parties have access to the data?
• Do you share or transfer personal information with others outside the EU, and if so, where?
There are several ways of mapping this phase. We used a product called i2 Analyst Notebook to help map our data or “information flow”; but you can use a simple flowchart within Word, or even a large flipchart or board. This will bring your data mapping to life and you will be able to see and add to your map as the process continues.
As part of our audit process, we examined where our internal personal data was held, how we processed it and whether it was secure. We then drafted an internal document that questioned our internal procedures. We considered our procedures from a human resources and operations point of view. From the recruitment process to those that leave; who has access to payroll, personnel folders and cloud platforms (where are our cloud platforms?); how do we send and receive information to and from clients? Do we process any personal information on children? Do you know whether your data subjects are notified of the collection and processing of their data? Do they know why their data is collected and who it is shared with? Is this communication easily accessible, concise and transparent? What about email? What procedures are in place for receiving and sending personal information via email? Is personal data only used and stored for the purposes it was originally collected for?
These were just some of our starting questions.
Once all the responses are collected, collate the answers into one report. This will identify the areas of good practice, development areas and points for concern. This process forms part of your gap analysis, which you can revert to, once items of concern have been addressed.
If you’re interested, we can share our pre-assessment questionnaire tool with you. Once the internal data mapping process was collated, we then applied the same questions and processes to our clients’ data. We then added the findings and data flows onto our data map. I would really encourage this.
At some point in the GDPR preparation, you will likely need legal advice as to what your contracts and privacy notices will need to cover.
Your contractual obligations will differ depending on what services your organisation provides. You will need to determine the legal bases and legitimate interests you implement to control or process the personal data of EU citizens. Some legal points to consider include:
• employment contracts
• current consents
• privacy notices
• opt-in or opt-out
• terms of business
• third-party written agreements
• engagement letters with your clients
• website legal notices, etc.
Again, your data mapping will help point your legal advisors towards the areas where you will need assistance. Having identified your data, analysed the gaps, mapped your processes and spoken to your legal advisors, you have achieved most of the hard work.
Internal process changes
You will also need to update your internal policies and procedures to reflect the changes to your GDPR readiness and communicate these to your employees and third parties. Don’t assume that everyone will comply with your request, talk with them too. Make it part of your organisation’s plan to implement regular Data Protection and Privacy Impact Assessments.
Decisions like how long to retain personal information should be set; who has access to the information (and who does not need access); keeping a record/register of the consents you have; and reviewing your ongoing relationships with individuals and their data.
Consider also the procedures you will follow if you ever have the misfortune to detect or report a breach. Does your organisation require a dedicated Data Protection Officer (DPO) or someone to take responsibility for data protection compliance? Who and where do you report a breach to? Do you outsource your data protection compliance?
Register with the ICO
Finally, which many organisations forget to do, register your organisation with the Information Commissioner’s Office or if you are based outside the United Kingdom, a relevant supervisory authority. GDPR will be organic and change over time. Over the next couple of years, precedents and further guidance will become available, whilst success stories and failures will be reported. Keep monitoring the developments, continue to audit your processes and keep your internal housekeeping in order.
If you make data protection part of your working day and culture, it will soon become much more manageable. However, if you haven’t done so already, make a start.