Lexis®PSL Risk & Compliance GDPR Planner (Phases 1, 2, 3 and 4)

1

GDPR Planner (drafting notes)

This GDPR planner aims to help you prepare your business data compliance processes for the General Data Protection Regulation (GDPR), which comes into force on the 25th of May 2018. This planner expands on the suggested set of actions for each of the 12 areas issued by the Information Commissioner’s Office (ICO), but, rather than presenting them by subject matter, it does so chronologically, breaking down the necessary actions over four periods of time: (1) ground work (2) planning (3) implementation, and (4) embed/test/review.

Phases 1, 2, 3 and 4 can be seen below.

Phase 1: Groundwork

CATEGORY TASKDATE COMPLETED

COMMENT

Data Protection Officers

Consider whether to appoint a Data Protection Officer (DPO) to be responsible for data protection within your organisation and to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.

Scope out the potential DPO role. See Precedent: Data protection officer—DPO—job description and role profile.

Insert date

Data Protection Officers

Assign budget and/or resources to data protection compliance.

Insert date

Awareness

Ensure the board receives regular briefings and updates on the organisation’s preparations for GDPR implementation.

You can cover this in Precedent: Data protection board report.

Insert date

Awareness

Add GDPR compliance as a risk to your organisation’s Risk register. Consider the resource implications on implementing the GDPR.

Insert date

2

CATEGORY TASKDATE COMPLETED

COMMENT

Information audit

Conduct an audit of:

− what personal data you receive and/or hold

− how you process personal data − for what purposes, you process personal

data − whether you transfer or share personal

data and, if so, to whom and how − how personal data moves within your

organisation − whether you transfer personal data

outside the EEA − how you ensure personal data remains

accurate and up-to-date − how you store personal data − how long you keep personal data − how you destroy personal data

For the first part of the audit (what personal data you receive and/or hold), see Practice Note: Data mapping and Precedent: Sample data processing map.

See also Precedent: Data and information register, which can be used to record the output of your data mapping exercise, including the remaining parts of the audit.

Insert date

Individuals’ rights

Review Practice Note: The General Data Protection Regulation—Rights of the data subject, with particular regard to:

− data portability − data deletion − direct marketing − objecting to processing − restricted processing − automated decision-making and profiling

Insert date

Communicating privacy information

Review Practice Note: Privacy notices to familiarise yourself with the ICO’s expectations in relation to privacy notices.

Insert date

3

CATEGORY TASKDATE COMPLETED

COMMENT

Legal basis for processing personal data

Review all the data you process and identify your legal basis for doing so — generally, this will be consent of the data subject. Pay particular attention to sensitive personal data.

Document your findings in a Data and information register, also known as a data-processing register.

Insert date

ConsentReview Practice Note: The General Data Protection Regulation—Lawfulness of processing—New standard for consent.

Insert date

ChildrenReview Practice Note: The General Data Protection Regulation—Lawfulness of processing—Parental consent.

Insert date

Privacy by design

Review subtopic: Privacy impact assessments to familiarise yourself with the concept of privacy impact assessments (PIAs), also known as privacy by design.

Insert date

Phase 2: Planning

CATEGORY TASKDATE COMPLETED

COMMENT

Data Protection Officer

Proceed with appointment of a DPO or nominated individual to be responsible for data protection within your organisation and GDPR preparation—see Precedent: Data protection officer—DPO—job description and role profile.

Decide where the DPO should sit within your organisation’s structure and governance arrangements.

Insert date

Legal basis for processing personal data

Check that your current legal basis for processing data (as recorded in a data processing register) will be valid under the GDPR—see: lawfulness of processing.

Insert date

4

CATEGORY TASKDATE COMPLETED

COMMENT

Individuals’ rights

Consider whether the right to portability will apply to any of the data you process, ie personal data an individual has provided to you as a data controller, where:

− the processing is based on the individual’s consent or for the performance of a contract, and

− processing is carried out by automated means

Insert date

Individuals’ rights

If so, consider how you will deal with requests to port data—to include the requirement to provide the personal data in a structured, commonly used and machine-readable form.

Insert date

Individuals’ rights

Check your procedures and work out how you would react if someone asks to have their personal data erased.

Can your current IT systems facilitate the location and deletion of data or will you need to invest time and money in some form of enhanced functionality?

Who will make the decisions about deletion when requests are received?

Insert date

Individuals’ rights

Consider whether your systems will be able to cope with requests for data portability or deletion where the data relates to more than one data subject.

Insert date

Individuals’ rights

Review your direct marketing processes (including those of any service providers). Are you able to remove data subjects who object to direct marketing?

Insert date

Individuals’ rightsConsider whether your systems enable you to isolate and exclude restricted data from processing activities

Insert date

5

CATEGORY TASKDATE COMPLETED

COMMENT

Individuals’ rights

Audit whether, to what extent and on what basis your organisation makes use of automated decision-making and/profiling (refer to data processing register). If:

− you undertake profiling based on consent, check that consent is explicit

− profiling is undertaken on sensitive personal data, check your processes enable your organisation to obtain explicit consent

Insert date

Subject access requests

Review your internal processes for dealing with subject access requests. Consider whether changes are required to be able to process requests within one month.

Insert date

Subject access requests

Consider conducting a cost/benefit analysis of developing functionality for people to access their own information easily online.

Insert date

Communicating privacy information

Plan for ICO Privacy Code compliance.

Draw up a register of all documents and intranet and website pages that provide privacy information. See Precedent: Privacy notice register.

Audit the wording and functionality of each privacy notice identified in the register for compliance with the ICO Privacy Code. See Precedent: Privacy notice audit.

Identify whether the organisation can make amendments to privacy notices itself or relies on an external service provider to make changes.

Insert date

6

CATEGORY TASKDATE COMPLETED

COMMENT

Consent

Review your current systems for obtaining consent—do you presume consent from silence, pre-ticked boxes or inactivity? You can use Precedents: Privacy notice register and Privacy notice audit as your starting point.

If yes, investigate what technological and other process changes need to be made to ensure:

− consent is given by a clear affirmative act, e.g. a written statement, electronic means, or oral statement

− separate consent is given for distinct processing obligations

Insert date

Consent

Consider whether you currently obtain consent as part of a written declaration which concerns other matters. You can use Precedents: Privacy notice register and Privacy notice audit as a starting point.

If you do, consider what changes need to be made to ensure the consent request is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

Insert date

Consent

Consider whether your current systems provide an effective audit trail of consent being given. If not, investigate what changes need to be made.

Insert date

Consent

Consider whether your current system provides simple methods for withdrawing consent. If not, investigate what changes need to be made.

Insert date

7

CATEGORY TASKDATE COMPLETED

COMMENT

Children/consent

Determine whether the rules on children will affect your organisation and, if so, consider:

− what process changes are required (if any) to ensure appropriate parental consent mechanisms are implemented

− any codes of practice relating to children issued by any relevant regulator

− whether any process changes are required to ensure you can demonstrate you properly consider whether a child’s interests may override your own (if relying on legitimate interests to justify processing)

Insert date

Data breachesReview your information security arrangements—see Precedent: Information security review.

Insert date

Data breaches

If you have not already done so, implement a data breach policy or plan.

See subtopic: Managing data breaches, which contains a range of tools and Precedents including: Data breach plan, Data breach panic sheet and Data protection breach management workflow.

Insert date

Data breaches

Review data protection clauses with external providers to ensure they require prompt notification to you of any data security breach and appropriate remedies, including termination.

Insert date

Data protection by design

Consider your organisation’s strategic plan and ICT plan. Are there any activities within the foreseeable future that may trigger the need for a PIA?

If yes, ensure your project plan(s) make provision for conducting a PIA to ensure privacy by design—see Precedent: Privacy impact assessment.

Insert date

8

CATEGORY TASKDATE COMPLETED

COMMENT

Information audit

Collate contract documentation for all third parties with whom you share data. This information should be available in your data processing register

Insert date

International

Determine which national data protection supervisory authority you come under—for the vast majority of organisations, this is likely to be the ICO.

If your organisation operates from other Member States, map out where the most significant decisions about data processing are made. This will help to determine your organisation’s main establishment and therefore your lead supervisory authority.

Insert date

Phase 3: Implementation — by the end of December 2017

CATEGORY TASKDATE COMPLETED

COMMENT

Individuals’ rights

Make necessary changes to your systems and processes in relation to:

− data portability

− data deletion

− direct marketing

− objections to processing

− restricted processing

− automated decision-making and/profiling

Insert date

Subject access requests

Make necessary changes to your systems and processes in relation to subject access requests. This will include amending response letters and timescales.

Insert date

9

CATEGORY TASKDATE COMPLETED

COMMENT

Legal basis for processing personal data

Implement a process for making and recording decisions on processing activities beyond the scope for which consent was given, taking into account the factors in GDPR, Art 6(4).

Insert date

Communicating privacy information

Finalise updated privacy notices. Insert date

Consent

Make changes to your consent systems and processes as required to ensure:

− any request for consent is clearly distinguishable from the other matters, and is made available in an intelligible and easily accessible form, using clear and plain language

− consent is given by a clear affirmative act, eg a written statement, electronic means, or oral statement

− separate consent is given for distinct processing obligations

− there is an effective audit trail of consent being given

− there are simple methods for withdrawing consent

Insert date

Children/consent

If you offer information society services directly to children, make necessary changes to your systems and processes:

− in relation to parental consent

− to demonstrate you properly consider whether a child’s interests may override your own (if relying on legitimate interests to justify processing)

Insert date

Data breachesUpdate your Data breach plan for consistency with the GDPR, eg regarding notification requirements.

Insert date

10

CATEGORY TASKDATE COMPLETED

COMMENT

Data breaches

Ensure data protection clauses with external providers require prompt notification to you of any data security breach and incorporate appropriate remedies, including termination.

Insert date

Privacy by designEmbed a culture of privacy by design, ensuring that any high privacy-risk or high impact projects incorporate a PIA.

Insert date

Information audit

Review contract documentation for all third parties with whom you share data.

Consider the extent to which contract clauses require amendment for compliance with the GDPR. See Precedents: Data processing provisions—DPA 1998 and GDPR compliant—pro-controller and Data processing provisions—DPA 1998 and GDPR compliant—pro-processor.

Negotiate with relevant third parties.

Insert date

AwarenessPlan a programme of staff training and awareness.

Insert date

11

CATEGORY TASKDATE COMPLETED

COMMENT

Individuals’ rights

Ensure system and process changes have gone live in relation to:

− consent (including in relation to children)

− data portability

− data deletion

− direct marketing

− objections to processing

− restricted processing

− subject access requests

− processing activities beyond the scope for which consent was given

Test and review the new systems.

Insert date

Communicating privacy information

Publish updated privacy notices and ensure any external providers update relevant privacy notices published on your behalf.

Insert date

Data breachesRoll out and test updated Data breach plan for consistency with the GDPR, e.g. regarding notification requirements.

Insert date

Data breaches Train staff on all new policies and procedures.Insert date

Privacy by designEnsure any large-scale projects that impact on privacy incorporate a PIA.

Insert date

Information auditCheck that contract documentation for all third parties with whom you share data is GDPR-compliant.

Insert date

Recommended reading:

Precedent GDPR project plan, which presents the planner in an Excel spreadsheet, suggesting specific months for specific tasks.

Phase 4: Embed, test and review — by the end of April 2018

12

To find out more about the new LexisPSL Risk and Compliance module, including all the key risk and compliance areas covered please visit: www.lexisnexis.co.uk/LexisPSLRiskandCompliance

RELX (UK) Limited, trading as LexisNexis®. Registered office 1-3 Strand London WC2N 5JR. Registered in England number 2746621. VAT Registered No. GB 730 8595 20. LexisNexis and the Knowledge Burst logo are registered trademarks of RELX Inc. © 2017 LexisNexis SA-0916-015. The information in this document is current as of March 2017 and is subject to change without notice.