This time last year we were all bustling around ensuring that we were following best practice in preparation for GDPR. As with any compliance exercise it is always good to review what exists and test your assumptions. And whilst you may be hoping that Brexit may change everything, the UK 2018 Data Protection Act enshrines the key principles of GDPR and therefore very little has changed for UK Business.
That being said, if your business transfers data between the European Economic Area and the UK, you are going to have to be aware of data adequacy agreements. These are currently being negotiated between the UK and EU. If an agreement has not been reached by the exit date, there are data adequacy safeguards and contractual clauses and privacy statements which you can use help your organisation comply with GDPR. This will put in place similar conditions to the 2016 Privacy Shield agreements set up between the EU and US which the EU are trying to harden. If you already use a cloud IT service which stores and/or processes their data (including personal data) anywhere outside of the EU you should have already considered this, but it is worth reviewing your arrangement to make sure nothing has changed.
Hopefully your procedures have bedded in beautifully, your DPO compliance reports are being read by management and everything is going to plan, but we’d suggest some spot checks and revisiting your policies to make sure nothing has changed.
For this purpose it is worth reviewing the six principles of data protection which are: Lawfulness, Fairness and transparency, Purpose limitation, Data minimisation, Accuracy, Storage limitation, Integrity and confidentiality
We’re sure you spent time ensuring your data collection policies were lawful, fair and transparent ready for last year. You may have excellent processes in place ready for handling changes to the way your business collects data, but it’s useful to test your assumptions. Now would be a good opportunity to review the PII data you are storing on individuals.
Under the principles of data minimisation is it possible you are inadvertently gathering data that isn’t needed? Similarly under the principle of purpose limitation are you still certain that the information you are storing still has a purpose? If anything has changed you will need to delete and take time update your Privacy Policy accordingly to ensure you adequately communicate your purpose and practices.
Also are you accurately storing the source of your data? If you have had any subject access requests it may be worth reviewing these to ensure that you feel your response was adequate or to identify any patterns highlighting problems with data sourced via a specific channel. Hopefully, you have someone reviewing this regularly, but if there have been issues it is worth revisiting and reviewing your data handling practice.
One of the more problematic issues can be data accuracy but you are obligated under GDPR to ensure that you take “every reasonable step” to remove or rectify out of date data. So if a data record hasn’t been accessed or updated in a certain amount of time, it may be worth setting some automated flags to make you inspect the records further and initiate whatever activities are needed to manage the updates effectively. If these are dead records then it is a good idea to remove them.
Storage limitation also means that you remove data which is no longer necessary. You should have put in place time periods and mechanisms for deleting records. If this is being managed manually you may wish to review processes to see if there is a way in which to flag and/or automate data for removal.
The final principle is integrity and confidentiality. Here it is important to review the measures your organisation is taking to secure and PII data. GDPR doesn’t dictate what measures you should take but have you encrypted or pseudonymise personal data where you can? Are you confident that data isn’t creeping off your central systems into spreadsheets onto unsecured BYOD devices or memory sticks? Again it is worth spot checking to ensure that the best practice that you implemented is being perpetuated and that no unhealthy behaviours have crept in.
When you’ve put policies in place, it’s very easy to blindly assume that they are being followed. Even in organisations who have deployed measures such as DLP and encryption to support their compliance need to benchmark their data and practice. In our experience gaps can develop. So why not initiate a Spring clean and get your data owners in a room to review progress and troubleshoot any issues? Better safe than sorry.