Understand what is changing
Data protection is not a new phenomon. Since the mid 1990’s there has been a data protection regulation and if you go wayyy back – you’ll find that the origins started around 129 years ago! Obviously things have changed since then… hence the GDPR!
So hopefully your business has been aware of the Data Protection Act (DPA) 1998. The best starting point therefore is to establish your current DPA compliance by doing a GDPR GAP Analysis.
GDPR extends the principals of the DPA 1998 and should be viewed as an ‘evolution’ in data protection regulation. Not as something entirely new!
The best way to start is to compare your current DPA compliance to the GDPR requirements by doing a GDPR GAP Analysis. This will highlight where you are not compliant and where there are specific risks. This will also allow you to establish where the new rights for individuals and obligations have to be built in. Based on this and your Information Audit, you can develop an implementation plan that you can action.
GDPR GAP Analysis – Approach
A GDPR GAP Analysis will help you identify and prioritise the areas that should be addressed. But, how? Where do you start? Are there GDPR Gap Analysis tools available? Do I have the knowledge to do it myself?
There are a few different approaches you could take as a small business:
Do It Yourself Approach:
There are several self-assessment tools available which are questionnaire driven. There is a questionnaire on the ICO website which has been developed specifically for small organisations. Follow the instructions and at the end you will have a report with practical actions you can take.
GDPR Consultancy Service:
You can outsource the conducting of a GDPR GAP Analysis to an external GDPR Consultant. They come to your organisation and conduct an on-site assessment on the way your organisation handles data protection, what measures and controls you have in place and information security.
After the on-site assessment, you will receive a detailed GDPR GAP Analysis report of your data protection compliance highlighting areas of concern. You will also get an implementation plan detailing what you need to do in order to become GDPR compliant. This is something ATB Project Solutions Ltd can help with.
Other ways of conducting a GDPR GAP Analysis includes buying templates with GAP Analysis tools included or looking at buying software. However, as a small business I would suggest starting with the ICO website or, when there is no data protection knowledge in your business and this becomes very time consuming, invest in getting a GDPR consultant to look at your data protection.
How to perform a GDPR GAP Analysis
For the purpose of this article let’s say you have chosen the DIY approach. You are the Data Controller (i.e. you decide what happens to the data – see for more information here). There are a number of area’s you will have to review as part of the analysis. See below:
This is all about making sure that your organisation is acting appropriately by taking accountability for how you obtain and process personal information. Things to think about here:
- Have you identified and documented your lawful basis? For each different type of processing?
- If consent is one of the lawful bases you rely on, how do you manage that?
- Are you informing individuals why you need their data, what you do with that data and how you protect it? (i.e. a Privay Notice)
- Do you have processes in place to manage the rights of individuals? I.e. is there is a data subject request, do you and your staff know how to handle that?
- Has your staff been trained on these policies and procedures? Very important not to forget that!
- When you deal with third party processors, do you have a contract in place?
Also part of a GDPR GAP Analysis is reviewing how your governance is set-up in your organisation. Do you have policies in place to deal with data protection and information security? And are they monitored and reviewed regularly or stuck on a shelf somewhere collecting dust?
Is there someone in your organisation who is responsible for data protection? Any business has risks and issues. Are these managed?
Something else to consider; when you choose a new supplier, a new system or provide a new service, do you review that against data protection requirements? It’s called Data Protection by Design and is aimed at ensuring data protection is integrated in all of your processing activities.
Data Protection Officer (DPO)
Appointing a DPO in your organisation is not mandatory, but there are exceptions. Best practice is to have a resource in your organisation dealing with data protection issues. When this is the case, make sure that person has the time to deal with these issues. Especially in % job-share situations. They should have direct access to senior management and have the grounds to raise these issues.
Data Protection is closely linked to information security. Therefore it is important for you to review how your IT is set-up and ensure you have the appropriate controls in place. Make sure you have policies and procedures setting out how IT should be managed and operated. This should be accessible for your staff.
When it comes to reviewing your IT, think of having secure passwords in place. Ensuring you have firewalls and malware protection. Who has acccess to what data? Is your data backed-up? But also, how do you manage remote workers and removable media?
Managing paper and electronic files
It’s easy to forget in this digital age, but you should manage and protect both your paper and electronic files. Make sure you archive them appropriately, so you can easily find documents. Make sure your staff knows how to manage and archive files consistently. Also, make sure you know where your data is.
Another aspect of managing files, is making sure they are stored securely (both paper-based and electronically). Ensure there is access control in place and business continuity.
When there is no longer a lawful basis to keep information, you need to ensure this is disposed of securely.
And then there is marketing! This is where the lawful basis of consent is very prominent. You must ensure this is recorded and managed appropiately. There are also other legislations to consider, such as the Privacy and Electronic Communications Regulation (PECR). the PECR sits alongside the DPA and GDPR. Please note, the PECR is affected by the GDPR however it is not superseded by the GDPR! Therefore, you must comply with both legislations.
There are specific documentation requirements under the GDPR. You need to have the appropriate policies and procedures in place to manage all different aspects with regards data protection.
There is also the requirement to document your processing activities. You need to document your lawful basis for processing. When this is for example legitimate interest, there needs to be a written assessment in place. This will all be made clear when you go through the GDPR GAP Analysis report.
As you can see, GDPR is not just about having a privacy notice in place. Or having a few policies to gather dust in a cupboard. GDPR is all about making organisations take accountability for handling personal information!
I hope the above is considered helpful when you start your GDPR GAP Analysis. But if you would like further support, please get in touch!
The information provided in this article and on this website is not legal advice. We would recommend to consult a solicitor if you need legal advice or definitive legal guidance. Or visit the ICO website for the Guide on GDPR.