The General Data Protection Regulation (GDPR) gave a firm shake-up to existing rules on how organisations should process and protect individuals’ personal data. Not least of which was the introduction of potentially crippling fines – reaching 4% of overall turnover.
The Information Commissioner’s Office has already started proceedings against huge data-rich companies like Facebook and Google – and it showed last month that there is no escape for smaller organisations either. It’s unsurprising, then, that the vast majority of businesses report that they have made some preparation to meet new compliance requirements. But there is news of concern that companies still haven’t done enough to bring their activities fully within the law.
So, here is our list of the five biggest holes that can leave your organisation exposed:
1. No ‘records of processing activities’
The GDPR (Article 30, to be exact) requires data controllers and processors to keep thorough records of any data processing they conduct regularly (the law uses the term ‘not occasional’). They also need to do this for any processing of Sensitive Data (ethnicity, sexuality, politics etc.) and for any processing that poses a high risk to the individual.
We are finding that organisations generally Havent’y had a full data audit and as a result, aren’t complying with the duty of transparency (i.e. properly informing Data Subjects about their processing activities in Privacy Notices).
Without an audit of your activities, it’s impossible to ensure that the privacy information you post on your website is an accurate reflection of how you handle people’s data. When this is not so, all processing activities that are not included are unlawful.
[Also, you will be in danger of leaving your processing open to scrutiny and action from the ICO.]
2. Privacy Policies fail to meet key criteria
Almost without exception, every Privacy Notice, Fair Usage Policy or Data Protection Policy we read on company websites doesn’t comply with the fundamentals required under Article 13 and 14.
These regulations are the gospel for data transparency: they determines what information data controllers must give to individuals whose data they retain and process.
Invariably we find companies are not properly identifying the third-party recipients of the data, and whether these other companies are in a country outside the EU.
One major provider of email and cloud storage services didn’t identify their Data Protection Officer or give any contact details for their DPO or other responsible person.
All too commonly, Privacy Notices are too generic, often bought as a ‘one-size-fits all’ product, and don’t actually inform Data Subjects about an organisations actual processing and purposes.
This could leave them open to criticism for not fully complying with the principle of Transparency.
3. Inadequate agreements with processors
Penning new agreements with your suppliers to make them GDPR-compliant can be tricky – so we are seeing a habit for Data Controllers to take a casual approach to the terms they set down with third parties who process data on their behalf.
Article 28 has some specific criteria for what these terms need to include, such as the categories and purposes of the data being transferred.
The updated terms of business you receive from Processors don’t always fulfil these criteria by default, so you need to be careful when transferring data to the likes of a Cloud Storage provider, Pensions provider or other processor.
One way we’ve seen companies get around this is to adopt a ‘controller-to-controller’ relationship, which throws up a slew of other compliance risks – so be very careful how you handle your data sharing agreements.
4. Obtaining ‘Consent’ where it is not required
One of the biggest positives to come out of the GDPR is that it has resulted in a better focus on the other legal bases for processing personal data– such as contractual obligation or legitimate interest.
In the majority of circumstances organisations have the freedom to process data when they need to without consent. Those who are well advised, now see this and are taking proper advantage of the other legal bases that are available.
Consent should be a last resort for most processing activities but many organisations continue to rely on Consent when it is not appropriate to do so – and the over-use of consent online for unnecessary cookies is fatiguing web users so none of them take proper advantage of their data rights.
5. Focusing solely on tech solutions for security
State-of-the-art IT systems offer a quick fix to prepare an organisation for malware attacks, breach analysis and restricting access – but technology is only half the battle to preventing Personal Data Breaches.
In fact, the most common cause of a data breach is human error – a lost computer, sensitive emails sent to the wrong address, or files accidentally being deleted.
The best way to protect your business is to make sure your people know how to perform their day-to-day work securely. We provide general and job-specific training to highlight how your employees need to change their habits at work, and keep Data Protection front and centre around the office.
GDP Armour provides gap analysis, training and compliance tools to clients who want to make the most of the new Data Protection laws. Fill in our contact form today and a consultant will call you back to discuss your needs.
Business vector created by Freepik