1.  Identify what personal data is held

The starting point for ensuring data protection compliance is to carry out a thorough review of an organisation’s data processing activities to identify:

  1. whose personal data is held (for example customers, suppliers and employees)?
  2. what personal data is held?
  3. are any special categories of personal data held?

(these categories include data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation)

  1. is the personal data of any children being processed?
  2. for what purpose(s) is the data used?
  3. do the purposes for which the data is to be used include automatic decision making based on profiling or large scale processing of special categories of data (in which case a privacy impact assessment will be required)
  4. is any personal data transferred to any other person or organisation?
  5. is any personal data transferred out of the United Kingdom?
  6. is any personal data processed on behalf of any other person?

2.  Confirm proper legal basis for processing

A proper legal basis must be identified for each purpose for which personal data is being processed. Common permitted legal bases for processing include where:

  1. the individual has consented to the processing;
  2. the processing is necessary for the purpose of entering into a contract with the individual;
  3. the processing is necessary to comply with a legal obligation of the organisation;
  4. the processing is necessary to protect the vital interests of the individual or another person;
  5. the processing is necessary for the legitimate interests of the organisation or a third party, where such interests are not overridden by the interests or fundamental rights and freedoms of the individual.

Where consent is relied on as a basis of processing:

  1. is the consent given by means of a positive action of the individual?
  2. can the organisation prove that such consent has been obtained?
  3. does the consent cover all of the purpose for which the data is used?
  4. is consent from children relied upon?

3.    Review data protection notices and privacy polices

Organisations must be transparent about the way in which they process personal data.

Data protection notices or privacy policies should be checked to ensure that they are up to date and compliant which includes setting out:

  1. the identity and contact details of the organisation processing the data;
  2. the purposes of the processing;
  3. the categories of personal data processed;
  4. the legal basis relied upon for the processing;
  5. any recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in other countries;
  6. where possible, the period for which the personal data will be stored or, if not possible, the criteria used to decide this period;
  7. the right to request correction or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  8. the right to lodge a complaint with the Information Commissioner;
  9. where the personal data is not collected from the individual, any available information as to its source;
  10. details of any automated decision-making, including profiling for which the data is used with details of  the logic involved and the significance of such processing for the individual;
  11. where any personal data is transferred outside the EEA, the appropriate safeguards  used.

4.  Check for compliance with data protection principles

In addition to the obligation to process data lawfully, fairly and transparently, the organisation’s data processing procedures should be reviewed to check:

  1. is any data processed for any purposes other than those notified to the individual?
  2. is all of the data obtained necessary for and relevant to the purposes for which the data is collected?
  3. is data deleted when it is no longer necessary to keep it and how is the decision regarding how long data may be stored made and applied?
  4. is data stored accurate and up to date and is there a process in place for correcting or updating the data?
  5. what security measures are relied upon to protect against unauthorised or unlawful processing, accidental loss, destruction or damage?
  6. are technical and organisational measures adopted as security measures  sufficient and appropriate to the risk?

5.  Ensure transfers of data are compliant

Additional obligations arise where data is transferred to any other person or organisation (for example where one organisation is processing on behalf of the other) and where data is transferred out of the EU.

  1. Is any data being transferred to any other person (and if so for what purpose and with what safeguards)?
  2. Is any data being processed by or for another organisation?
  3. If data is being processed by or for another organisation is there an agreement in place between the parties to ensure compliance with the GDPR?
  4. Is any data being transferred by the organisation to outside the EU and if so to which countries?
  5. If data is being transferred outside of the EU have appropriate measures been taken to ensure compliance with the GDPR (e.g. use of standard contractual clauses or Binding Corporate Rules)?
  6. Is any data transferred into the UK from the EU (whether by group companies or any other persons)?

6.  Be prepared to deal with subject access requests

Individuals have the right to make a subject access request to obtain details of the processing of their information from organisations generally without charge and generally within one month of request. The request does not need to be in any particular form.

  1. Are relevant staff sufficiently trained to be able to recognise a subject access request?
  2. Does the organisation have procedures in place to deal with a subject access request including the ability to identify and retrieve the data, consider what data should be excluded and deliver the data in an appropriate format within the required time limits?

7.  Pay your fees to the ICO and be prepared for breaches

Following the coming into force of the GDPR, organisations are no longer required to register with the ICO but are obliged to pay an annual fee linked to the organisation’s turnover and number of staff unless their processing is minimal and exempt.

The GDPR requires businesses to notify national data protection authorities of all data breaches without undue delay and where feasible within 72 hours unless the data breach is unlikely to result in a risk to the individuals. If the breach is likely to result in high risk to the individuals, organisations are also required to inform data subjects of specific information regarding the breach without undue delay.

  1. Check using the ICO’s website whether the organisation’s processing of data is exempt and otherwise ensure payment of the appropriate annual fee.
  2. Does the organisation have procedures in place to be able to identify, analyse and report data breaches

8. Check marketing activities

Direct marketing activities are regulated under the GDPR and under the Privacy and Electronic Communications Directive (PECR). The regulations are complex and differ depending on whether the recipient is an individual or business. Subject to a limited exception where a “soft opt-in” may sometimes be relied upon to continue to email or text individuals who are existing customers in relation to similar products or services and where the individual is advised of their right to opt-out, generally an individual's prior express consent is required.

  1. Does the organisation get involved in direct marketing to former, current or prospective clients?
  2. Is the sending of the marketing communications compliant with the GDPR and PECR

There are a number of factors which may be relevant to compliance with PECR. Businesses involved in any form of direct marketing should monitor their activities and any changes in the law carefully to ensure compliance and take advice as required.

9.  Use of cookies on websites

The ICO published guidance in July 2019 on the requirements for consent to the use of cookies. The guidance confirms that (other than in the case of cookies which are strictly necessary for the use of the site) prior informed consent to the setting of cookies must be obtained by a positive act of the website user. Any form of passive consent cannot be relied upon.

  1. Does the organisation use cookies on its website?
  2. Other than in the case of cookies which are strictly necessary for the use of the site, is positive consent obtained from website users before the cookies are placed?
  3. Has the cookie policy been updated to set out all the information required to be given to users so that the consent is sufficiently informed that it can be relied upon?

10.  Identify someone to be accountable

The GPR provides a general obligation of accountability on organisations to ensure compliance with the data protection principles. Organisations employing more than 250 staff, or whose processing is likely to result in high risk to individuals, or involves special categories of data and whose processing is not only occasional, are required to keep records of their processing activities. Organisations involved in large scale processing may be required to appoint a data protection officer.

 Fines of up to 4% of worldwide turnover or 20 million euros (whichever is higher) can be made for breaches and bad publicity associated with such breaches can also be highly damaging. Compliance needs to be built into all of the organisations processes on an ongoing basis and is likely to involve staff from sales and marketing, technical and IT and compliance functions.

  1. Identify an individual or team with responsibility for data protection compliance.
  2. Ensure training on data protection issues is disseminated to all in the organisation who need to be familiar with the regulations to ensure the organisation’s compliance.

October 2019

Disclaimer: This Data Protection checklist and action plan is intended to summarise and assist organisations in identifying some key issues relevant to data protection compliance.

It is not intended to provide, and should not be relied upon as providing, legal advice. There are a number of factors and circumstances which may be relevant to legal advice. The law may also have changed before we are able to update the website.  If legal advice is required in relation to any of the matters referred to in this checklist, please contact us on 08081668827.

 

UK Top Tier Firm 2022 Lexcel Practice Management Standard Birmingham Law Firm of the Year for 2021 Resolution Collaborative Family Lawyer
The Law Society Accredited in Family Law Conveyancing Quality Scheme