A Guide to Implementing the General Data Protection Regulation (“GDPR”)
Much has changed in the world of technology and the digital economy since the Data Protection Act 1998 was introduced into Law in the UK. For example:
- Social media platforms such as Facebook, Instagram, Twitter and LinkedIn did not exist.
- Google was not the dominant search engine, in fact the Alphabet company had yet to form.
- Online and Mobile Banking was not in use, in fact less than 20% of us had mobile phones (1997 statistic)
- Most electronic data were stored in a structured format (e.g. database).Today, personal data is stored in a variety of unstructured formats (e.g. email, messages or photos).
What are the differences between DPA 1998 and GDPR?
Here are some key facts to bear in mind when comparing the General Data Protection Regulation with the existing Data Protection Act 1998:
- Core data protection principles remain unchanged
- Enhanced definition of consent
- Tightening on use of ‘Legitimate Interest’
- Transparency is fundamental
- New and expanded individual rights
- Accountability is key
- Data breach notification for Data Controllers and Data Processors
- New responsibilities for Data Processors
The General Data Protection Regulation (“GDPR”) 2016/679 was approved by the European Parliament on 14thApril 2016, it was enforced on 25thMay 2018 following a 2-year transition period. The GDPR replaced the EU Data Protection Directive 95/46/EC. The UK’s Data Protection Act 2018 received Royal Assent on 23rdMay 2018.
Using PDA Legal's Supported Guidance pack
These guidelines provide your organisation with a practical 5 step approach to implementing the GDPR:
- Set up a GPDR Working Group / Implementation Team
- Undertake a GDPR Gap Analysis
- Identify and Map the Flow of Personal Data into and out of the organisation
- Update the organisation’s Data Protection Policies and Procedures
- Training and On-going Compliance
For each of the steps, we set out Action Points to consider and guidance notes so that you can review your data protection situation and ultimately, enhance your documents and procedures to align with best practice for data protection.
The accompanying Excel spreadsheet will help you to chart your progress and avoid gaps. As you work through this webpage, refer to the corresponding tabs on the Excel sheet and record your consideration and progress.
You'll see that this webpage includes highlighted web-links to relevant sources of information and further reading (such as the ICO website) throughout.
There are coloured tabs, linking to each of the 5 steps, at regular intervals throughout this webpage. Simply click to go directly to the section that you require.
At the end of Step 2, you'll see a reminder to contact us to book your Supported Guidance telephone call with a member of the PDA team. This call is intended to take place after you have completed the tasks up to and including Step 3. You don't have to wait until you reach the end of Step 2 to make the booking, but do take into account the likely timescale of your preparations/workflow through this project.
There is a glossary of definitions immediately after Step 5 on this webpage.
Step 1: Set up a GDPR Implementation Team
Article 5 (2) stipulates that the controller shall be responsible for, and be able to actively demonstrate compliance with the personal data processing principles set out within the GDPR. The data controller (e.g. the law firm) must implement appropriate technical and organisational measures.
In order to demonstrate the accountability principle, the organisation should establish a GDPR implementation team who will be responsible for identifying the gaps in current data processing activities, mapping the flow of personal and/or special categories of data into and out of the organisation, reviewing and updating technical and organisational policies and procedures, along with educating staff across the organisatin about the regulation and their responsibilities.
Who should be represented within the implementation team?
Staff with responsibility for: HR, Marketing, Practice Manager, IT, Client/Customer Matters, any officers responsible for regulatory compliance, and the appointed Data Protection Officer (if mandated) / GDPR Lead.
Action Points for the Implementation Team to Resolve and Document
Action point 1.1
Are the directors/senior management fully aware of the organisation’s obligations set out in the GDPR?
- In particular the impact on the organisation’s reputation and trust amongst staff and clients/customers of non-compliance.
- Are senior staff fully aware of the rights and protections given to data subjects by the GDPR? (Bearing in mind that data subjects include staff, clients/customers and service providers.)
Raising awareness across the organisation about the implications of GDPR is a key first step in a firm’s implementation plan. The regulation should not be seen as a tick box exercise, but a process that will require on-going monitoring.
Action point 1.2
Are meetings between senior staff held to discuss and assess data protection within the organisation?
- Are these meetings recorded?
- How frequent are these meetings?
- Are they separate meetings or are they held as part of meetings with a wider agenda?
The purpose of these meetings will be to review any personal data protection breaches that have been recorded in the breach register, review any data subject access requests that have been received, discuss any new systems/practices that are to be introduced that will have an impact on the processing of personal data within the organisation.
It is good practice to take a risk-based approach when determining the frequency of these meetings, based upon aspects including the organisation's individual circumstances, knowledge base, resources, types of work conducted, breach/risk history and status of progression for GDPR.
Action point 1.3
Does the firm need a Data Protection Officer under GDPR?
- Has a DPO been appointed? Record details and update the ICO.
- Are all staff aware of the DPO and their role?
Article 37 of the GDPR makes appointing a DPO mandatory if:
- You are a public authority or body;
- Your core activities require large scale, regular and systematic monitoring of activities (see definitions for examples).
- Your core activities consist of large-scale processing of special categories of personal data (Article 9) or data relating to criminal convictions and offences (Article 10).
Where an organisation is mandated to appoint a DPO, they must take into consideration Article 38 of the Regu....