10 Top Tips for Achieving GDPR Compliance

Developing and Maintaining a ROPA

As the GDPR is a risk-based regulation, we would always recommend that you make sure your record of processing activities (ROPA) is fully developed and maintained.  Aside from being a statutory requirement, the ROPA is one of the best tools for identifying data risk in your organisation’s processing, and should be front and centre of any controller’s compliance effort.

‍

Conducting Data Protection Impact Assessments (DPIAs)

A DPIA is a risk assessment which focuses on personal data risks and how you can take steps to mitigate or even eliminate them.  DPIAs are mandatory under the GDPR for certain types of high-risk processing. Although not mandatory, the Information Commissioner’s Office (ICO) the UK’s privacy regulator, has produced a list of processes for which controllers are encouraged to conduct what they term a best practice DPIA.

Failure to conduct mandatory DPIAs is not only breaking the law, but also increases the likelihood of data loss or other breaches of the data subject’s rights and freedoms, as well as reputational damage, financial claims, and increased premiums on services such as cyber insurance.  The Regulation sets out some particular scenarios in which a DPIA is required, e.g., when you’re engaging in profiling, such as monitoring the behaviour of individuals, and when you’re engaging in large scale processing of special category data.

‍

Checking your Privacy Notices

Privacy notices are required to facilitate the fair processing element of the first principle of the GDPR, which dictates that personal data must be processed lawfully, fairly and transparently.  They also communicate certain basic information to data subjects, primarily what your organisation is doing with their data and the lawful basis under which it is being processed.  Privacy notices must be transparent and concise so, if you are processing the data of different types of data subjects for different purposes (e.g., customers, clients and employees), we would recommend you split up different processes onto separate privacy notices, as far as is reasonable.

‍

Managing your Supplier Risk

An important aspect of many organisations’ activities will include sharing personal data with their suppliers.  However, we continue to find that too few organisations are taking steps to ensure that the processers and their suppliers have adequate privacy compliance frameworks in place.  For example, if a vendor is a supplier of cloud processing services, how would they protect UK data subjects’ data that is being processed in their servers outside of the UK?

Under the UK GDPR, organisations which engage in this sort of data sharing should prioritise checking their potential suppliers’ data risk compliance measures at an early stage of their procurement process. Asking your suppliers or prospective suppliers to complete a vendor risk management due diligence questionnaire, a checklist, or even requesting shortlisted suppliers’ ROPAs can help you ensure your suppliers meet compliance requirements.

Under the GDPR, appropriate security measures are a mandatory clause which must appear in the contract between you as the controller and the processor, dividing responsibility for data protection (DP) between the two parties.  The GDPR also allows controllers to conduct audits of the processor to ensure that they are maintaining their security measures.

‍

Auditing your Consent

The bar for achieving and maintaining the consent of data subjects under the GDPR is very high and, as such, consent is not the first choice of lawful basis for many controllers.  Consent must be freely given, specific and informed.  Therefore, when gathering consent, you must clearly and specifically explain what you want to perform with the subject’s data, and this cannot, for example, be hidden away in terms and conditions, or anywhere else that it may be difficult for data subjects to find.  The data subject must provide a positive action to show that they’re giving you their consent, and the Regulation has a specific provision for the fact that the giving of consent cannot be conditional on the data subjects’ receipt of a service when their consent is not necessary for the performance of that contract, as this would mean it is not freely given.

Consent is also able to be withdrawn at any time.  If you receive the data subject’s consent and they later change their mind, you will not be able to continue with the process in question as you will have lost your lawful basis for performing it.

Developing and Implementing a Personal Data Retention Policy

Principle 5 of the GDPR, storage limitation, dictates that personal data should not be kept for longer than is necessary.  We at URM have found that organisations are not devoting sufficient time to identifying what personal information they have, how long they are keeping it for, and why.  This is linked to the failure of many organisations to compile and maintain an effective ROPA where envisaged time limits for erasure need to be specified.

If your organisation retains personal data for longer than it needs to, it will not only be in breach of the storage limitation principle, but will also incur entirely avoidable storage costs, and risk data loss either through accidental disclosure or intentional hacking.

‍

‍

Training

Lack of DP training for employees at all levels is another recurring issue we see in many organisations.  Human error continues to represent one of the greatest risks to DP that organisations face, and without effective and ongoing meaningful training, this will continue to be the case even when you have a ROPA or DPIA in place.

These human-error risks can be mitigated or even avoided entirely by implementing a programme of regular update training, beyond the compulsory one-hour GDPR section of the new starter induction process, which, we find, is quickly forgotten or lost in the mass of information being absorbed when an employee starts at a new organisation.

‍

‍

Ensuring Human Infrastructure Is in Place

Naturally, your privacy compliance framework will need individuals to implement it, and you should have more individuals responsible for this than just your data protection officer (DPO)/privacy compliance lead. Aside from the board level individual who owns your organisation’s DP strategy, we have found that it is effective (particularly in larger organisations) to have a network of DP leads.  These individuals are sometimes called data champions and are often appointed at the department head or line manager level.  

However, even if you don’t use the data champion approach, your organisation must identify the process owners, i.e., the people who know the most about your organisation’s individual processes involving personal data.  As well as this, your staff should understand that DP is everyone’s responsibility.

‍

‍

Ensuring Data Protection Always by Design

The phrase ‘data protection by design’ appears in the Regulation, but what does it mean?  Simply put, DP by design means that DP should be built into your organisation’s processes from an early stage.  Therefore, you should ensure that any new projects or systems involving personal data consider data risk and data protection during the design phase.  You should try to avoid wrapping measures around such processes retrospectively, but instead fully embed data protection from the outset.

‍

‍

Making GDPR ‘Part of the Furniture’

We suggest that organisations encourage the use of GDPR terms and phrases, such as those used in this blog (e.g., ROPA, DPIA, lawful basis, privacy notice), as part of their everyday language.  For example, introducing DP slots on the weekly team meetings as a standing agenda item, new project checklists, and performance assessments for staff, in order to foster GDPR compliant approaches and attitudes as business as usual throughout your organisation.