Demonstrating compliance with the UK GDPR – the 12 steps – Part 2

Thumbs up illustration

Last month we started looking at the 12 steps which organisations should have taken to prepare for the introduction of GDPR. This is still a very useful approach for determining your compliance status.

In the previous blog we looked at the first four steps.

Here we will look at steps 5-8:

5. Data subject access rights (DSAR)- A DSAR is a request from an individual (data subject) to a business asking to know what personal information of theirs has been collected, stored, in addition to what personal information is currently being processed and for what purpose? Organisations must have procedures in place for handling such requests. Did you know there is a 30 day timescale for responding to a DSAR set by UK GDPR.

Data subjects must be able to exercise their right of access easily and do not have to make their requests formally in writing. There are some exemptions and requests can often be complicated and submitted by third parties.

CSRB recommends implementing a DSAR Policy and then ensuring all employees that process personal data undertake annual training, which will ensure they can respond to a DSAR promptly and professionally, whilst understanding their responsibilities.

6. Lawful basis for processing personal data – There are 6 legal bases for processing data under UK GDPR. Data controllers need to take responsibility for informing data subjects which lawful base they are using for each personal data processing activity.

The six lawful bases are:consent, contract, legal obligation, legitimate interest, public interest and vital interest.

Once you have identified which lawful basis applies to your processing activity under UK GDPR, you must document it and update your privacy notice accordingly. Not having a lawful base could pose significant risk to your organisation both in terms of reputational damage and enforcement action from regulators and legal bodies.

CSRB recommends an annual lawful basis for processing review with a certified data protection practitioner and a full annual privacy notice review.

7. Consent – The ICO website says that: “Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”

Organisations should review how they obtain, record, and manage consent and whether changes are needed to meet the requirements of both the UK GDPR and Privacy Electronic Communications Regulations 2003 (PECR).

Consent is often incorrectly used as a lawful base, when it is the hardest to prove and consent is vital with regards to marketing your organisation via electronic communications for example.

CSRB recommends understanding when consent can be used and in particular how this relates to any marketing activity the organisation may undertake.

8. Children– You will need to identify if the nature of your business means that you should have procedures in place to protect children and their personal data. For example you may need to verify an individuals’ age or obtain parental or guardian consent for any data processing activity relating to children.

Also the age of consent can be vastly different across many European countries for example, where children can give consent to processing of their personal information from the age of 13, whereas this age is a lot higher in other UK laws and statutes.

This catches a lot of people out!

CSRB strongly recommends speaking with a certified data protection practitioner if you are processing children’s personal data, so you obtain a full understanding of your data controller responsibilities.

Woman with lock and key illustration

The four steps above, in addition to those detailed in the first blog, allow us as data controllers and data processors to demonstrate accountability.

The overall aim of these twelve steps is to give you a clear understanding of the requirements of UK GDPR. The Information Commissioner’s Office (ICO) expectation is that “accountability obligations are ongoing.” By demonstrating ongoing compliance with the principles and practice of UK GDPR as outlined in these twelve steps you can start to build a culture of compliance within your business.

CSRB has a simple mission. To be clear and open about personal data protection. What you need, why you need it and what you are legally required to do. We will help you manage and protect that data responsibly while taking the jargon out of the process. Get in touch with us here or call 0117 325 0830 to learn more about the certified data protection support we provide.