Although the Information Commissioner’s “Twelve Steps to Prepare” is an excellent guide to what organisations need to do in the eighteen months before the General Data Protection Regulation becomes UK law in May 2018, following them in order from 1 to 12 may not be the best approach. Some of the steps depend on the results of others, some are likely to take longer to achieve (in particular those that are new requirements, rather than adaptions of existing ones), and some may be easier once guidance is published by either the Information Commissioner or the Article 29 Working Party. This post attempts to use those factors to put the steps into a logical sequence for implementation.
Craig Clark of the University of East London has written an article on setting up a GDPR project. To lead this, organisations should identify their Data Protection Officer (ICO step 11) as soon as possible, even though the promised guidance from the Article 29 Working Party has not yet appeared. Identifying the relevant national regulator (ICO step 12) is another area where formal guidance is still awaited, though almost all Jisc customers seem likely to be subject to the UK Information Commissioner.
The first group of activities, on which work should probably have started already, contains the ICO’s steps 1 (Awareness), 2 (Information You Hold), and 10 (Data Protection by Design and Data Protection Impact Assessments). Awareness among senior managers will be essential to obtain support and resources. Knowledge of information flows is the starting point for most other steps. The process used to map flows will form a significant part of implementing data protection by design, so steps 2 and 10 are likely to benefit from being developed together. The Regulation’s stress on accountability means that documented processes to identify, analyse and protect new and existing activities will be a key part of demonstrating compliance. These processes should be well advanced by May 2018. Since they need to cover both internal development activities and external procurements, development and implementation are likely to require most of the remaining 18 months, so work should start now. Specific ICO guidance on Contracts and Data Controller/Data Processor relationships, and the Article 29 guidance on Data Protection Impact Assessments, can be incorporated when those are published.
As data flows and processing activities are identified, the ICO’s step 6 (Legal Basis for Processing Personal Data) can be applied. Changes to the definition of valid Consent (in Recitals 42&43 and Article 7) seem likely to lead to a reduction in the use of that justification, so other justifications in Article 6(1) may need to be considered.
Once the legal basis for a flow is determined, it will be possible to identify and implement the appropriate rules for steps 3 (Communicating Privacy Information), 7 (Consent), 8 (Children), 4 (Individuals’ Rights) and 5 (Subject Access Requests). The ICO’s guide to Privacy Notices is already available; further guidance on Individuals’ Rights and Consent is expected soon, with Profiling and Children to be covered later. The Article 29 Working Party are expected to provide guidance on the Right to Portability, which appears to be considered an aspect of the Subject Access Right, by the end of this year.
As a new requirement under the Regulation, step 9 (Data Breaches) should be borne in mind when mapping information flows. Wherever information is stored, organisations should ensure that they have processes and systems to quickly obtain the information that would be needed if a breach were to occur. Under the Regulation, all breaches will need to be recorded. However determining which breaches need to be reported to the regulator and which to affected data subjects will depend on regulators’ interpretation of “(high) risk to the rights and freedoms of individuals” (Articles 33&34). Although the ICO mentions “risk and significant/legal effects” as a topic where thinking will be developed, it appears that formal guidance may not be provided till later next year.