01 - Data Protection by Design

Personal Data Flow Controls

Each database that contains sensitive information that now needs to be tracked and recorded within a Risk Register. Anytime personal data is stored by a business, whether on a server, a desktop or laptop, it must be protected from being accessed by cyber criminals or through internal errors (such as leaving devices on public transport). There are multiple ways of achieving this goal including two-factor authentication, on-device encryption (with remote wipe capability) and granular controls over permissions which stop intruders or mistakes impacting the privacy of customers and employees.

Each database needs to be reviewed in terms of the data it holds and what a data breach could mean for the data subjects. All databases should be managed in regards to the Privacy Impact Assessment (PIA) and given the correct control measures that correspond with the level of sensitivity. Bank records and photographic ID records, for instance, should have greater control and prevention measures than a database containing non-specific contact number or email address.

Note: this does NOT need to be a flow chart – it just needs to document how data moves within business and the ways it is protected and how it is monitored at each point.

Data Protection Strategy

Companies must now document their strategy for how they propose to protect sensitive data held by their business. This must cover the full range of devices including mobile devices, and cover tracking of data once it leaves protected environments. Data should be traceable so that data breaches can be alerted immediately and reported within 72 hours to the regulator and the affected customers. If a company fails to track their data and do not report the breach within 72 hours it may result in penalties from the governing body, The ICO.

Companies must set out a policy so that this approach remains effective and good practice. If a company is shown to have ineffective or out of date processes they will come under the scrutiny of an audit investigation following a data breach. Companies should be able to demonstrate that policies are being followed and that sensitive data is not being held on unsecured devices.

PIA and Risk Register

Each database that holds personal data – data which can adversely impact a data subject (as opposed to a business) – must have a corresponding PIA which connects to a risk register. A PIA looks at the impact that the data could have, ie. what could potentially be done with that data in the wrong hands. This is then put on a risk register so an auditor can instantly look at the types of data a company holds and what steps they have in place to stop this data getting into the wrong hands.

The purpose of the risk register is so that the persons who are affected can quickly and accurately be informed about what data has been leaked and the potential risks they face. This is then continued via data breach notifications, all of which should correspond to the proper privacy impact assessment. For each privacy impact type there should be a specific document to inform customers about the real risks and how they can resolve the businesses error in the shortest time with the greatest outcome for themselves.

02 - Data Gathering (Consent)

‘Good Data’ Policies and Control Measures

Companies must be able to show they have an active approach to cleansing data and not holding it for longer than required. This should feed into the privacy impact assessment and risk register. Companies should look to decrease their overall risk and look to value the quality of data over the quantity, and be able to demonstrate to an outside body that they are putting in control measures to achieve this.

Basic policies might include assessing the value of data in a six month period and looking to remove low quality data, or remove data which has not garnered any response. Companies should look to find how they can interact directly with individual customers rather than send out non-personal marketing messages. Moving towards tools and services that explicitly meet this goal will help companies carry far less risk and manage much less of a burden through GDPR compliance.

Legal Statements

Legal statements during opt-ins should be specific and any changes to how data is used must be updated by informing users on the list of the changes. They must be given the opportunity, at this point, to remove themselves from the list if they are unhappy with the way it is being used (and removed immediately if they opt-out). They also have a new right to request their data at any time (which is covered in Subject Access). Legal statements should cover the policy that covers that database specifically, looking at policies and control measures to ensure a ‘Good data’ strategy.

Some elements of the relevant PIA should be included in the legal statements to ensure the data subject is aware of the risks to themselves in giving up this data. While not in place from the original date of introduction, this will become best practice over the subsequent year and standard practice for businesses who hold a large quantity of sensitive data.

Opt-in and Data Usage

Data subjects must be aware that their data is being held and its purpose. During data collection, subjects must actively choose to accept for their data to be collected and understand its purpose explicitly. Each database that the user is being added to must have a different opt-in message and opt-ins can no longer be automatically selected – they must be chosen by the subject. Privacy statements must be specific to that database they are being added to and must include the policy regarding data control, especially how long the data is being held for, and the customer MUST re-opt-in if the purpose of that data changes.

A company that collects data for one purpose then uses it for another, for example using customer data for remarketing purposes, will be in breach of the GDPR and will be exposed to fines if the breach is reported to the governing authority. The GDPR also strengthens current regulations surrounding removing customers from marketing lists if requested, increasing the fines for not complying with current legislation



Companies who hold data which does not have the proper consent prior to the introduction of the GDPR will be exposed to fines should this be discovered during the audit process. If your current opt-in requests cover all of the uses of that data and are compliant with incoming GDPR regulations there is no need for a re-opt-in process, but it must be provable that this is the case. Customers who join lists via phonecalls must also be provable through voice recordings, or companies must seek to revalidate these users.

03 -Data Breach Strategy

Data Breach Detection

Companies must have wide reaching controls over data so they are immediately aware of any potential data breach. All activities that databases which holds data that relates to data subjects must be auditable at a granular level on any device. Any loss of data must show all of the records which have gone missing so that each individual can be sent the relevant document which covers each of the points in the PIA.

Data Breach Reporting

Following a data breach, all subjects whose data has been taken must be informed of when the data was taken, how it can be used and the steps they should take to protect themselves. This information can be found within the PIA on the Risk Register. Note that this notification MUST be specific to the type of data held about them.

The relevant authority (in this case the ICO) must also be notified of the breach within 72 hours. Failure to comply will result in a breach of the compliance rules and begin an investigation into why the correct process was not followed. If a company is shown to have willfully covered up a breach or failed customers through gross negligence then the ICO will press criminal charges and push for the largest fines to be applied.

Reporting Policy and Prevention Process Review

Companies should regularly review the tools, policies and controls in place to ensure they are fit for purpose in the aim of halting data breaches and removing the capacity for security risks to cause serious harm to individuals. Companies should have clear documents detailing what should be done in the event of a breach, the persons responsible for managing breaches within the business and their contact information.

Data Controllers must make it their responsibility to ensure encryption tools are kept up-to-date and that data remains secure through technological or managerial changes.

04 - Subject Access

Data Subject Access Requests (SAR)

Currently Following the introduction of the GDPR, companies will no longer be able to charge for providing it unless the amount of data is excessive. The process in which a data subject is able to access data must also change.

The data subject must receive confirmation (either by confirmation page or email) that their data is being processed. They must be able to easily request their data in a format which corresponds to the specific privacy notice supplied during the opt-in process. This should show what the data has been used for and on what date.

Companies have one month to provide data for a Subject Access Request. If the request is highly complex or numerous you can extend this period by two months as long as you notify the data subject within one month of the receipt of the request and explain why the extension is necessary.

Auditability and Data Control Review Process

Data Control is one of the Key Features of the GDPR. Anytime individual data records are access or used then it should be logged. This logging process should inlcude the time and date that the data was accessed and used, and what that data was used for.

Essentially the idea is to create an audit trail and show that data has been used in the way it was intended. For instance, if data using a customer record opt-in was used for re-marketing and promotions, it would constitute a breach of a company’s data protection policy.

Data Recording and Usage Notification

During the opt-in process, customers must have been informed of how their data is going to be used (ie. the intended purpose for data collection). They must also be informed as and when this changes so they can agree to opt-in for the new way data is to be used.

Opt-ins can no longer include automatic opt-in, meaning data subjects must actively agree to any form of data collection. Websites must record the time and date that each user requested to opt-in for the data collection or record the call if data is collected over the phone. If the customer does not wish to opt-in to data collection but their details are required for a transaction then the company can hold that data for as long as it is required but no longer.

All opt-ins must link to the company’s privacy policy, which contains the name and details of the governing body, the company name, company number and registered address. This should also cover the company’s policy concerning how long they hold data for and how data is protected from theft.


05 - International Data Control

Upholding Data Protection Standards

Data Transfers made outside the EU must still meet the strict requirements for data control set out by the GDPR. This includes ensuring the data has been collected with the individual’s informed consent and they are recorded on a Risk Register with the assignment of relevant PIA.

Companies must also ensure that transferring data outside of the GDPR area does not break and pre-contractual or contractual clauses. It must be the case that removing the sensitive data from the protected area is necessary for either the performance of a contract, for reasons of public interest or the establishment, exercise or defence of legal claims.

These regulations do not apply to FOI requests crossing international borders (if the individual has legitimate interest in requesting and inspecting the information.)

Seeking Authority via the Data Commission

Personal data may only be transferred outside of the GDPR data protection area (within the EEA) in compliance with particular conditions. These conditions are essentially set down by the European Commission (currently).

Companies cannot send personal data to countries not verified, however transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs). These must be verified by the national Data Protection authorities.

Standard contractual clauses, which required prior notice to and approval by data protection authorities, can be used without need for approval. A newly introduced scheme in Article 42 also allows for transfers based upon particular security certifications, provided that binding and enforceable commitments are made by the controller or processor to apply the appropriate safeguards during storage on devices.

Transfer Safeguards

Companies must ensure that individuals’ rights are protected and that the data remains available for the data subject, should it be requested, following the transfer.

Safeguards fall into different categories of compliance, each with their own rule sets. Typically, once approved, the main tool for companies is notification through a legally binding agreement between public authorities or bodies with binding corporate rules (agreements governing transfers made between organisations within in a corporate group) and standard data protection clauses in the form of template transfer clauses adopted by the Commission.

This area looks set to change in the future, with the GDPR leaving space for administrative arrangements between public authorities or bodies to be authorised by the competent supervisory authority.