The General Data Protection Regulation is coming and public sector bodies need to ensure they are ready for it. The EU regulation takes effect on 25 May this year, by which time all public bodies will be expected to be fully compliant with it.
The public sector has not always had a stellar record when it comes to data security and has been responsible for some of the biggest data breaches in the UK. In 2007, a junior staff member at HMRC reportedly sent two computer disks containing the details of approximately 25 million people through the post addressed to the National Audit Office.
The disks did not arrive and were never found. More recently, as PF reported in its last issue, Gloucester City Council incurred a £100,000 fine from the Information Commissioner’s Office in June 2017 after a hacker attacked its systems gaining access to sensitive personal and financial information.
Failure to comply with these new data protection rules could bring even bigger financial penalties – the maximum fine for GDPR breaches is €20m (about £17.7m) – so you should get to work now to close your GDPR gap. Here are some practical tips to help you along the way.
1. Consider whether you need to appoint a data protection officer
- Under GDPR you have to appoint a DPO if:
- You are a public body or
- You carry out monitoring of individuals on a large scale or
- Your “core activities” consist of large-scale processing of special categories of data.
It is important to remember that you will be in breach of GDPR and liable for the lower tier of fines if you do not appoint a DPO if you are supposed to. Article 83 of the GDPR creates the potential for fines up to €10m or 2% of global annual turnover.
2. Carry out a data audit
It has been said that more data is created every two days than was created from the dawn of civilisation until 2003. Your organisation will have been amassing vast quantities of data and, to get in line for GDPR, you first need to figure out where your data is. To start a data audit, you should prepare a questionnaire asking for details on how data is processed, ensure you send it out to all departments and hold follow-up meetings to get a better understanding of data processes.
3. Draw a data map
If you are going to understand where the main risks are on GDPR, you will need to draw up a map of where your data is, who it is shared with and where it is being sent. Mapping data flows helps you pinpoint issues. You should also prepare a risk register outlining major risks in the way data is being used, how these could breach GDPR and what needs to happen next.
4. Get security right
Data security is the most important part of your GDPR project. Get this right and your project is in a strong position. Fail on data security and your organisation could be in line for some major GDPR fines.
I suggest inspecting the organisational ship to see where the data security holes are, training staff and making sure adequate cybersecurity is in place including breach prevention, software patches, penetration testing and encryption.
5. Stop using painful privacy notices
Can you remember the last time you read a privacy notice? Me neither. GDPR expects more from us. If we are to engage people, we should make our notices clear, plain and concise. Notices should be kept as brief as possible, have short sentences, avoid jargon and be set out in a clear, well structured way.
6. Sort out your organisation policies
A big part of GDPR is being able to “demonstrate compliance” (article 5) – in other words, showing you comply with the new regulation in all that you do with personal data.
To do that you are going to need to make sure you have staff policies in place to ensure your employees are educated on their responsibilities regarding data processing across your operations. You may need to bring in some new policies such as a data breach incident plan, a human resources data protection policy and bring your own device policy. See where your policy gaps are and fill them.
7. Train up your staff
Public bodies often underestimate the importance of staff training. One recent study found that human error is the leading cause of data breaches in organisations, featuring in 37% of cases.
Make sure you deliver basic data protection training to all staff and work out who needs further face-to-face training – eg the legal department, HR etc. Make training engaging and relevant, with lots of examples of how data affects employees’ everyday lives and their jobs. Record all the training – useful if a regulator ever comes knocking.
8. Draft a privacy impact risk assessment template
Under articles 35-36 of GDPR, privacy impact assessments need to be completed for higher risk data projects. A PIA is a form that must be used on new projects that use “new technologies” and where the “processing is likely to result in a high risk to the rights and freedoms of individuals”. You need to put a process in place to ensure these PIA forms are used because failure to do this can attract heavy fines.
9. Ensure data breaches are reported
Under the GDPR, you have to notify the regulator within 72 hours of more serious data breaches. You must also communicate certain data breaches to the people affected without undue delay. Failing to report these breaches, or failing to report them in time, can attract major fines.
Educate your staff on their new responsibilities to report data breaches and put a process in place to so that breaches can be reported to regulators and ordinary people efficiently.
10. Deal with contracts
Under the GDPR, when we use a supplier and we entrust them with our data we must, by law, have certain clauses in the contracts with that supplier to ensure they keep our data safe. Ensure contracts with suppliers have all of the GDPR clauses set out in article 38 in place, decide which of your historic contracts need to be updated and do your homework on all the vendors you use so they provide you with “sufficient guarantees” on data safety.
Top Tips
Do
1. Work out where your data is through a data audit
2. Train your staff – and make courses interesting and relevant
3. Make sure you have all the policies in place you need
Don’t
1. Write long-winded privacy notices
2. Overlook contractor compliance
3. Assume everything will be fine – have systems set up to report breaches
Patrick O’Kane is a data privacy lawyer and author of the book GDPR: Fix it Fast – How to Apply GDPR in Ten Simple Steps