I couldn’t help but smile over the Christmas break when the other half was playing with their latest gadget, a well-known Voice Service speaker. Having started to become familiar with how it operated, the requests were getting shorter and shorter. It would appear that manners are included for free – when the commands were eventually reduced to a single word, the speaker responded with “that wasn’t a very nice way to ask” and the request had to be rephrased before being actioned!
The technology in these devices is amazing although it once again highlights the increasing issues with privacy. Devices are constantly “listening” and monitoring the environment, collecting data about the way in which we are choosing to live our lives. And how many of us actually check what happens to this data or take any steps to control how it is used? We have already seen a case in the USA where the police have issued warrants for the data collected by such a device. While they were refused, the police were still able to extract the data they were looking for from the device itself, and I am sure a cases will follow in the UK.
The explosion of new technology highlights the need for reform of privacy-related laws, and the General Data Protection Regulation (GDPR) will offer much greater control than existing laws. With less than 18 months until it comes into effect, it is time to begin preparations. It is a fairly complex piece of legislation with potentially significant implications so where do we start?
This blog is going to go back to basics, discussing what information falls within the GDPR. This will inform and underpin many of topics discussed in later blogs as well as provide an opportunity for you to assess your readiness for the GDPR.
Relevant Key Terms
We are going to start by briefly discussing the key terms used in this blog and their interpretation. The first terms to be considered are “personal data” and “controller”.
The definition of personal data is broadening from the existing definition under the Data Protection Act 1998 (DPA 1998) (see Note 1). The GDPR applies to personal data which is defined as (Article 4):
“…any information relating to an identified or identifiable natural person”.
The definition goes on to state that an identifiable person is one who can be identified directly or indirectly by reference to an identifier, and includes online identifiers.
If you are responsible for personal data, you are likely to currently be considered a data controller. The term “controller” and its definition is essentially retained under GDPR, which states the controller:
“…determines the purposes and means of the processing of personal data”.
Alongside identifying any responsibilities for personal data, it is also important to identify what personal data your organisation is processing, as they may not necessarily be the same. The term “processing” essentially covers anything you do with information, including collection and storage (see Note 2).
Where an organisation is processing personal data on behalf of a data controller, they are likely to currently be considered a data processor. The term and meaning of “processor” is retained by the GDPR although there are new responsibilities for data processors which will be discussed in future blogs (see Note 3).
Documenting Your Organisation’s Personal Data
Before we can start on compliance activities, the crucial first step is to identify the personal data for which your organisation is responsible, as well as personal data being processed by your organisation. This may seem obvious and straightforward, and often can be, although it is always worthwhile spending some time auditing activities to determine exactly where personal data is held, and why and how it is processed.
There are many different ways of auditing the information held by your organisation. The audit needs to establish the properties of personal data, which will help determine levels of compliance and what changes need to be made. It is recommended that the interpretation of personal data is as wide as possible at this stage to ensure nothing is missed. If information allows or enables people to be identified, including information that requires a secondary source to make that identification, it should be documented as personal data.
Under GDPR there is much more of a focus on accountability, which places a greater emphasis on knowing where your personal data came from, and where it goes. Therefore rather than looking at static datasets and collections of information, it may be more effective to base the audit on business processes and looking at inputs and outputs. In addition to identifying the information associated with that process, this approach will also enable you to understand how data flows through your organisation.
It will be important to document as much as you can about how personal data is managed. For each business process, this should include:
- Personal data held by your organisation. If not already known, it would also be helpful to note whether your organisation is likely to be considered the data controller, and the format in which it is held;
- Personal data held and processed on your behalf by a third party. GDPR is likely to require changes to existing contracts and this will be revisited in a later blog;
- Personal data being processed by your organisation on behalf of a third party;
- The purposes for which personal data is processed. Remember that different parts of your organisation may be using the same information for different purposes and each purpose should be documented;
- How personal data is processed and any resulting changes to that dataset or information. It will also be important to identify whether there is any automated processing and who can access the data;
- How long personal data is kept and how it is destroyed;
- Sources of personal data, and whether personal data from your organisation is made available or accessible to a third party;
- It would also be helpful to document existing safeguards in place such as contracts, data processing agreements, or data sharing agreements, and which role in your organisation has overall responsibility for the personal data you identify.
There are many ways to approach the audit or review and the most appropriate method for your organisation is likely to depend upon many factors including size and type of business activity (see Note 4). You may wish to create an information asset register (IAR), which can be developed and updated as the various measures for compliance are implemented. This type of document should provide you with current high level risks of non-compliance to your organisation, as well as provide a record of the measures taken to ensure compliance.
Remember, GDPR builds on existing data protection legislation and organisations should already be compliant with the DPA 1998. Once you have documented your personal data, it would be useful to do a check on current compliance, and identify whether any immediate actions are required.
We are going to use this information in a number of future blogs to assess your readiness for the GDPR so make sure you keep it handy. Questions, comments, feedback and special requests are always welcome.
Note 1: The current definition of personal data and guidance on its interpretation is available from the Information Commissioner’s (ICO) website. The ICO is the UK regulator for the Data Protection Act 1998 and will also regulate the GDPR.
Note 2: ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Note 3: Data controllers are currently responsible for ensuring any processing of personal data for which they are responsible complies with data protection legislation. GDPR introduces distinct requirements for data processors which will be covered in a later blog, and it is important to understand your role with regard to personal data that your organisation is processing from the outset.
It is possible for an organisation to be a data controller and a data processor. For example, if you are an organisation providing employment services for others such as HR services to other organisations, you are likely to be a data controller for your own client (where they are individuals, sole traders or partnerships) and employee information. You are also likely to be a data processor of personal data relating to third party employees.
In practice, these relationships can often be extremely complex. The relationship should be documented by contract and further guidance on this is available from the ICO’s website.
Note 4: The first place for guidance is always the ICO’s website. There are also the relevant BSI standards which relate to managing records and information. For a more detailed approach using business process, there is some useful guidance in DIRKS https://www.records.nsw.gov.au/recordkeeping/advice/dirks/step-b. This was written primarily for Australian public sector organisations, however, the principles can be applied to any organisation and it is widely accepted as best practice. If you are interested in Tkm to providing this service for your organisation and assessing your readiness for the GDPR, please get in touch.
The material contained in this article constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained within this site without first taking professional advice appropriate to their particular circumstances.