Register with the ICO and appoint a DPO and a Representative (if required)
You may need to register with the ICO and pay a fee. You may also be legally required to appoint a Data Protection Officer (DPO) who has the expertise, knowledge, and independence to properly advise and report to the highest level of the business on your data processing activities. They can be internal or external, as long as there is no conflict of interest. Even if you don’t require a DPO, you should appoint a privacy lead who can keep you on track in this ever-evolving compliance area.
If you are outside the UK or EEA but target goods or services to or monitor the behaviour of UK or EEA residents, you may need to appoint a UK Representative or EU Representative or both. If you have a presence in the EEA, such as a branch office, confirm your Lead Supervisory Authority, as they will have oversight over your cross-border EEA activities, while you will be answerable to the ICO for UK-related processing activities.
Know your data
You need to know what personal data you hold, where you store it, what you do with it, who receives it and more in order to properly protect it. It’s a best practice to document this in an evergreen Record of Processing Activities (ROPA) but note that under upcoming UK legislation, it may only be mandatory to keep a ROPA for higher risk data. Pay close attention to special category data, criminal offence data, and children’s personal data, as they require more protection. Visually mapping your data flows makes it easier to get a handle on your processing activities, flag high-risk data and issues, and gain deeper insights into your data. You may also need to adhere to the Age-Appropriate Design Code.
Confirm you can, decide if you should
You can only process personal data if you can demonstrate you meet the conditions for the appropriate lawful basis. Consent is just one of six lawful bases. Make sure you choose the right one. Getting it wrong could be costly or frustrate your business objectives. You’re expected to strike the right balance between your objectives and the interests of the people whose data you process. If they wouldn’t reasonably expect you to use their personal data in the way you’re contemplating, you’ve probably breached the fairness principle. Using deceptive practices, pressure tactics or “dark patterns” to trick people into sharing their data will also be considered unfair.
PECR (Privacy and Electronic Communications Regulations) creates special rules for marketing, website / app tracking and telecommunications that determine which lawful basis applies. For example, you generally need GDPR-level consent to direct marketing and cookie or tracker use, unless an exception applies. And GDPR’s stringent transparency requirements apply to the entire digital marketing journey, from gathering website or video analytics to email marketing and cold calls.
Say what you’ll do, do what you say
There is a long laundry list of privacy information you must provide to people whose data you process, even if you get it from someone else. You’re expected to deliver the information in a clear, concise, and intelligible manner. Layering is a good technique to satisfy your obligations to notify without sacrificing the user journey/UX. Unless an exception applies, you can only use personal data for the purposes you’ve described in your privacy notice. For example, if you collect mobile numbers of account holders for two-factor authentication, you can’t then use them for SMS marketing or location-tracking unless you let them know in advance and they consent (or don’t object if you can rely on legitimate interests).
Be a minimalist and when in doubt, throw it out
You’re not allowed to collect or keep personal data just because you think it may be useful later. You may only use the amount of personal data that is reasonably necessary, relevant and adequate for your purposes. And you can only keep it for as long as required for those purposes or by law. After that, it must be deleted.
Assess and address risks and build in controls
The GDPR is risk-based, principled and outcomes-focused. The greater the risk to the personal data in question, the greater the protection. You’re required to assess and mitigate the potential risks to individuals of your processing activities and implement “appropriate technical and organisational measures”. Formal assessments are required in certain cases:
- Legitimate Interests Assessment: if you rely on legitimate interests for a processing activity
- Data Protection Impact Assessment: for higher risk activities
- International Data Transfer Assessment: to assess the laws and practices of a country outside the UK or EEA where you wish to transfer personal data to ensure your recipient can maintain essentially equivalent protection for the personal data, and whether you need to increase protection in others ways, e.g. through strong encryption
You may face steep fines or other enforcement activities, like a stop order or an order to delete the data, if you fail to do so.
Keep it secure, take care when sharing
Both controllers and processors have explicit legal obligations to maintain appropriate technical and organisational measures to keep personal data they process secure in light of the risks of harm to individuals if the confidentiality, integrity or availability of their personal data were to be breached. Only those with a legitimate need-to-know should have access to or use the personal data, whether inside or outside your business, and you must not only transmit it securely but also ensure the person who receives it maintains that level of protection. You’re also responsible for ensuring personal data is complete, up-to-date, and accurate.
Detect, manage and report breaches
There are strict personal data breach reporting requirements. Reporting and remediation obligations will vary depending on whether you are a controller or processor of the data in question. If you are a controller, you must report certain breaches to the relevant supervisory authority (and to the individuals concerned in some cases) within 72 hours. Processors must report suspected breaches to their controller “without undue delay” to give them time to assess and remedy the situation within the reporting timelines. Processors must also assist the controller in breach response. Handling breaches appropriately involves a lot of advance preparation. Learn more here.
Respect rights
Individuals enjoy enhanced rights over their personal data under the GDPR. In addition to the right to be informed, there are seven rights, which include erasure rights, the right to object to certain processing (like direct marketing), and rights related to automated decision-making and profiling (e.g. with AI). Controllers are directly responsible for responding to rights requests (“DSRs”) within one month, while processors are required to provide reasonable assistance to their controller clients upon request. Again, knowing your data is critical to being able to meet these onerous requirements.
Protect it wherever it goes
GDPR’s protection follows the data, whether you send it to an outside vendor for processing or transfer it outside the UK or EEA. You need to ensure any vendors or third parties provide sufficient guarantees of GDPR compliance, including mandatory terms in your contracts, periodically review your due diligence, and, if your recipient is outside the UK or EEA, meet additional conditions for these “restricted transfers”. You may need to complete or assist with an International Data Transfer Assessment, do more to protect the data, and sign Standard Contractual Clauses.
Wherever you are in your GDPR compliance journey, we’re here to help.
