With maximum fines for breaching the GDPR the higher of either 4% of group turnover, or €20 million – compliance is essential to anyone involved in processing information and data about individuals in a commercial context.
With that in mind, Mortgage Solutions has put together some pointers to help prepare your businesses for GDPR compliance.
1. Data audit
Organise an information audit across your business – find out what data you hold, what you do with it, where it’s held, who it’s shared with, and how it flows into, through and out of your firm.
Document your findings in a register, this will help you comply with the GDPR’s accountability principle, which requires businesses to demonstrate their compliance efforts.
Also, bear in mind that documentation standards for firms with over 250 employees are more stringent than smaller firms.
You can find details on what firms of different sizes need to document here.
2. Policy and procedure check
A review of existing policies and procedures should be set up, then compared against GDPR requirements.
Before you can collect and process data, you need to identify your lawful justification for processing. For example, when is data processing or collection necessary for the performance of a contract with the data subject? Or when you enter into a contract and has the person given their consent to have their data taken and used?
Your legal approach to handling data has effects on individuals’ rights – if you rely solely on consent to process data, for example, people will have a stronger right to have their information deleted.
What you do with data at the moment should also be reviewed against the GDPR to ensure that individuals’ rights are reflected in working practices.
For instance, the timescale for responding to individuals’ requests seeking to enforce their rights will be shortened from the current 40-day period to 30 days, so update your working practices accordingly.
You can find full details on the lawful bases for processing here, and individuals’ rights here.
3. Data protection measures
You also need to have the appropriate technical and organisational practices in place.
Firstly, you need to know when to conduct a Data Protection Impact Assessment (DPIA). DPIAs describe the purpose of processing, the proportionality of processing in relation to that purpose, a risk assessment, and measures in place to address those identified risks.
DPIAs need to be carried out when you’re using new technologies, and when the processing is likely to result in a high risk to the rights and freedoms of people.
In addition, a senior staff member should be appointed to manage information risks, which will include creating risk mitigation procedures, as well as logging and risk assessing information assets.
It’s also important that someone within the business, or an external adviser takes responsibility for data protection compliance.
In certain cases, a data protection officer (DPO) needs to be appointed or hired. For example, you must have a DPO if you carry out large-scale, systematic monitoring of individuals’ data.
The DPO will need the expertise to advise on GDPR obligations. They’ll be responsible for monitoring compliance, and will be the first point of contact for authorities, staff and customers alike.
You can find a detailed breakdown on when you must appoint a DPO, and their duties here.
4. Privacy notice update
At the moment, company identity and how you plan to use any data needs to be declared – usually in a privacy notice – before collection.
Under the GDPR, more information needs to be provided. You need to identify your legal grounds for processing, your data retention periods, who the data is shared with, and be aware that people can complain to the Information Commissioner’s Office (ICO) if they find fault with how you handled their data.
This information needs to be given out in your privacy notice, and in any forms or letters you send out to people in concise, easy to understand language.
For more details on privacy notices, and what should be included, go here.
5. Consent building
While consent isn’t always necessary for data processing, GDPR standards for cases where consent is required will be stricter after May.
Consent requests, where applicable, should be kept separate from other terms and conditions, and ought to require a positive opt-in, such as unticked opt-in boxes.
You should also specify the names of your business and any third-party organisations who will use the data, and let people know that they can withdraw consent at any time.
Moreover, you should avoid making consent a precondition of service, and keep records of what individuals have consented to – including what you told them, and when and how they consented.
6. Awareness promotion
GDPR compliance doesn’t stop with a one-off update or system overhaul. Because the legislation concerns how organisations handle data as a whole, it’s essential that awareness of the GDPR, and any changes to policy and work habits are communicated to and understood by staff at every level.
A management approved policy – in a standalone policy statement or as a part of a general staff policy – should be established to help you address data protection consistently. This will also help you satisfy the GDPR’s accountability principle.
You should set up training programmes for staff, and establish a process to monitor ongoing compliance.
Consider setting up workshops, digital walkthroughs, adding a GDPR section to staff handbooks, or creating tests to ensure and maintain awareness of what is changing, and why.
7. Keep an eye out
The ICO’s guidance on GDPR compliance is an ongoing process, so you should keep an eye out for upcoming changes.
The ICO has a GDPR overview on its website, it’s a living document and is updated monthly to highlight developments. You can find the ICO guide here, a 12 step summary to GDPR preparation here, and a detailed compliance checklist here.
