A gap analysis is a popular method of assessing compliance against the requirements of the Regulation. It’ll help you identify and prioritise the areas that you should address.
What does a gap analysis involve?
A gap analysis is performed by an individual with in-depth expertise of the GDPR’s requirements, and a deep understanding of the practical realities of implementing suitable processes, controls and other measures to help the organisation achieve compliance.
Can I use a free GDPR gap analysis tool?
While it can be tempting to cut costs, freely available gap analysis tools are rarely as comprehensive as paid-for ones.
More concerningly, these free tools can prove troublesome for users who have limited knowledge of their compliance obligations under the GDPR.
With penalties for non-compliance as high as €20 million (about £17 million), it’s always worth opting for a gap assessment tool that has been developed by qualified experts.
Fortunately, there are many professionally developed and inexpensive gap analysis tools available.
What gap analysis options are available?
There are four different options to consider for conducting a gap analysis:
The DIY approach
Questionnaire-driven gap analysis tools help you assess your organisation’s GDPR compliance posture by quickly identifying any gaps for remediation.
Software solutions offer more benefits than questionnaire-driven tools. Our GDPR Manager tool provides four features in one:
Gap analysis tool
DSAR (data subject access request) management
Data breach monitoring
Third-party management tool
What gap analysis solution is right for me?
The consultant-led approach is ideal for organisations seeking a comprehensive gap analysis. Data protection consultants can offer objective insight into the potential costs and risks involved in implementing a compliance programme.
Not every organisation needs to hire a consultant, though. Smaller organisations can benefit from more affordable tools and solutions that help track and maintain GDPR compliance.
Ten steps to performing a gap analysis
A gap analysis consists of the following stages:
Data protection governance
Assess whether you have the necessary mechanisms in place for:
Data protection accountability and responsibility;
Policies and procedures;
Performance measurement; and
Ensure you employ adequate privacy risk management practices. This includes how you tackle upholding the rights and freedoms of data subjects.
GDPR project resourcing
Establish how you will resource your compliance programme.
DPO (data protection officer)
Determine whether you are required to appoint a DPO.
Roles and responsibilities
Assess whether staff awareness training has been established, and ensure your compliance programme has identified suitable roles and responsibilities.
Scope of compliance
Consider how you have defined the scope of your compliance obligations. Make sure you’ve considered all data processing and data sharing that your organisation is directly or indirectly involved in.
Personal data processes
Check you’ve implemented processes and procedures for each GDPR principle involving personal data. Determine whether a lawful basis for processing personal has been identified and documented, and ensure you have a suitable DPIA (data protection impact assessment) process in place.
PIMS (personal information management system)
Establish a suitable programme to document your GDPR compliance activities.
ISMS (information security management system)
Implement an ISMS to meet the GDPR’s requirements for securing personal data with “appropriate technical and organisational measures”.
Rights of data subjects
Ensure you have a process in place for facilitating data subjects’ rights, including responding to DSARs.
Get serious about GDPR compliance
Choose the best gap analysis solution for your resource availability, budget and compliance needs.
The broad range of skills required to succeed as a DPO (data protection officer) makes it a tough position to fill. DPOs need to work with staff to answer data protection questions, monitor the organisation’s data protection policies and procedures, and, of course, have expert knowledge of the GDPR (General Data Protection Regulation).
We therefore wouldn’t expect an organisation to simply tell its newly appointed DPO to get straight to work. Instead, they should be given specialist training to help them excel.
DPOs are naturally expected to have expert understanding of data protection law, and they should have received GDPR training. However, the shortage of skilled DPOs means not every organisation will be able to appoint someone who already knows the Regulation inside out. Many will have to make do with their resident data protection and privacy expert, who may well have a strong understanding of the GDPR, but will need to bone up on the Regulation’s requirements to fulfil all the DPO’s tasks.
Studying will also help DPOs understand how the GDPR works in practice. Those who are new to the job will quickly learn that there’s a huge difference between understanding the Regulation’s requirements and ensuring that the organisation implements them. It’s only through practical exercises that DPOs can learn to bridge that gap.
2. They need to learn how to be independent advisors
Arguably the trickiest part of being a DPO is liaising with employees on the organisation’s data protection practices. DPOs must advise staff on their data protection responsibilities and monitor whether they are being met, but they must also operate independently and without instruction from the organisation.
This means an employer can’t help the DPO perform their duties, and the DPO can’t overstep their boundaries when advising employees on how to achieve compliance. Doing so would effectively make them responsible for that activity, jeopardising their status as independent advisors free from conflicts of interest.
As such, DPOs must learn what they can and can’t say in their role, a skill that’s particularly important if they take on the responsibilities alongside their existing role.
3. It helps them prepare for disaster
DPOs play a crucial role in the data breach response process. The GDPR gives organisations 72 hours from the time they become aware of a breach to disclose it to their supervisory authority. The disclosure should include explanatory details about the incident, such as what caused the breach, how many records were affected and the types of information involved.
It’s the DPO’s responsibility to record all these details (acquired from relevant members of staff) and relay them to the supervisory authority by email or phone.
The task itself is relatively straightforward if the DPO is sufficiently prepared. This generally means having the supervisory authority’s contact details to hand, as well as a list of the details you are required to provide. A meticulous DPO might also prepare a list of employees who are best suited to providing the necessary information, as well as alternatives if that person is away from the office.
However, without specialist training, your DPO will have to figure out how to plan for breaches by themselves. (Remember, you can’t advise them.) Maybe they’ll manage, but do you want to take the chance? Particularly when the stress and panic that comes with a data breach could lead to your DPO making a crucial mistake.
Almost one year on from the introduction of new data protection laws, more than half of UK schools and colleges reveal they are not fully compliant. In a recent survey from edtech giant RM Learning and Trend Micro, 14% of respondents also admitted to not having a clear plan to become compliant with the GDPR (General Data Protection Regulation).
On the plus side, over 80% said that they had taken steps towards becoming compliant, mostly in the form of updating policies, training staff, appointing a DPO (data protection officer) or carrying out a data audit. Despite this, 46% cited a lack of security awareness as one of the biggest challenges in complying with data protection regulations.
Mandatory breach recording and reporting
The GDPR expects organisations to record all data breaches and, in some circumstances, report these to the ICO (Information Commissioner’s Office) within 72 hours of becoming aware. Worryingly, 29% of those surveyed said they did not have a formal breach response process in place, putting them at risk of serious non-compliance, should a breach occur.
Beware the inside threat
75% of schools and colleges regard their staff as the biggest threat to data, with cyber criminals seen as a bigger threat in just 19% of organisations. Careless staff can be just as big a threat as a malicious insider – awareness and training play a key role in protecting the sensitive data educational institutions hold.
Easy steps to reduce the risks and demonstrate GDPR compliance
For schools and colleges, the good news is that the risks highlighted in this survey can be reduced in a simple and cost-effective manner. As the survey suggests, human error is one of the biggest risks to data security. Losing data or sending it to the wrong people top the list of data breach causes across all sectors, and cyber criminals see busy staff as easy targets for scams like phishing. Staff training can significantly reduce these risks.
Train staff with e-learning from IT Governance
Our e-learning modules cover the GDPR, cyber security, appropriate use of Cc and Bcc in emails and how to spot phishing scams.
Demonstrate compliance with GDPR.co.uk
The GDPR.co.uk platform includes a data breach recording functionality that can report breaches directly to the ICO, DSAR (data subject access request) recording, staff GDPR training, and data and supplier mapping functionality – all the elements required to demonstrate GDPR compliance.
We offer a 10% discount on all our products and services to ASCL and COBIS member schools.
A version of this blog was originally published on 6 February 2018.
The GDPR (General Data Protection Regulation) isn’t just about implementing technological and organisational measures to secure the information you store. You also need to demonstrate your compliance, which is why data protection policies are essential.
In this blog, we explain what a GDPR data protection policy is, what it should include and how to simplify the documentation process.
What is a data protection policy?
A data protection policy is an internal document that serves as the core of an organisation’s GDPR compliance practices. It explains the GDPR’s requirements to employees and states the organisation’s commitment to compliance.
The data protection policy doesn’t need to provide specific details on how the organisation will meet the Regulation’s requirements, as these will be covered in the organisation’s procedures. Rather, a policy only needs to outline how the GDPR relates to the organisation.
Take data minimisation as an example. Whereas your procedures should state exactly how you will ensure this principle will be met (for example, you might require that any prospective data collection activities be accompanied by a document explaining why processing is necessary), your policy need only state that the organisation will address that principle.
Why you need a GDPR data protection policy
Data protection policies serve three goals. First, they provide the groundwork from which an organisation can achieve GDPR compliance. The Regulation as it’s written is simply too complex to be used as a basis for an implementation project. Imagine starting on page one and planning your compliance practices as you go; it would be a mess.
Instead, you should use the data protection policy as a cheat sheet, breaking the GDPR’s requirements into manageable chunks that are applicable to your organisation.
That brings us to the second goal: to make the GDPR understandable to your staff. Remember, most people responsible for compliance aren’t data protection experts and won’t have pored over the Regulation’s principles to understand why these rules are in place.
A data protection policy is the ideal place to address that, explaining in simple terms how the GDPR applies to employees and what their obligations are.
Finally, data protection policies prove that organisations are committed to GDPR compliance. Article 24 of the GDPR specifies that organisations create a policy in order to “demonstrate that [data] processing is performed in accordance with this Regulation”.
Being able to demonstrate compliance is essential when it comes to regulatory investigations. If a customer complains that an organisation has misused their data or hasn’t facilitated one or more of their rights as a data subject, the organisation will be subject to an investigation from their supervisory authority.
A data protection policy will be the first piece of evidence the regulator looks for to see whether the organisation takes the GDPR seriously. From there, the supervisory authority may determine whether the organisation met its regulatory requirements and, if it didn’t, whether the violation was due to a mistake or widespread neglect of the Regulation’s requirements.
The answer to this will determine what disciplinary action is levied. A one-time mistake might be met with a slap on the wrist and a reminder to be more thorough in the future, but a systemic failure will almost certainly lead to a significant fine.
What your data protection policy should include
You can include as much or as little information in your GDPR data protection policy as you like, but we recommend that you cover:
The purpose of the policy: This can serve as your introduction, explaining the policy’s relation to the GDPR, the importance of compliance and why the policy is necessary.
Definition of key terms: The GDPR is full of data protection terminology that you will need to explain. This section should include notoriously tricky terms like ‘controller’ and ‘processor’, but you might also want to clarify things like ‘data subject’, which aren’t as clear-cut as you might think.
Scope: The GDPR’s requirements apply to EU residents’ personal data and anyone in your organisation who processes that information.
Principles: Explain the GDPR’s six principles for data processing, as well as accountability (which is also a principle but addressed slightly differently). You should also briefly note your commitment to meeting these principles.
Data subject rights: The GDPR endows individuals with eight data subject rights. You should define them and state that will ensure that they are met.
DPO (data protection officer): You should provide the name and contact details of your DPO. If you’ve chosen not to appoint one (some organisations are exempt from this requirement), you should list the senior member of staff responsible for data protection.
Want to a quick and easy data protection policy template?
Putting all the necessary information into a policy from scratch is a tough ask, which is why some organisations simply adapt their existing data protection policy to include GDPR-specific elements.
We don’t recommend this approach, because you can easily overlook essential requirements. However, we understand the desire for help, which is why we offer a GDPR Data Protection Policy Template.
With this document, designed by our expert information security practitioners, you can createa GDPR-compliant data protection policy in minutes.
Stop us if you’ve heard this one before: organisations that fail to meet the requirements of the GDPR (General Data Protection Regulation) face fines of up to €20 million (about £17.3 million) or 4% of their annual global turnover.
Experts have been warning organisations about this since long before the Regulation took effect on 25 May 2018, but their advice has started to fall on deaf ears. That’s somewhat understandable, given that no UK organisation has yet been disciplined under the GDPR.
But that’s about to change – and here’s why.
GDPR fines expected in June
The UK’s supervisory authority, the ICO (Information Commissioner’s Office), doesn’t issue fines lightly. This has been the case for years, and that’s why it typically takes about twelve to fifteen months for it to complete investigations and decide upon disciplinary measures.
Likewise, the data protection watchdog began communications with the London Borough of Newham in April 2018 after complaints that it had breached the personal data of more than 200 people. On 4 April 2019, the ICO issued a fine of £145,000.
Other investigations that have recently concluded include an NHS manager who misappropriated information, a funeral home that sent nuisance calls to thousands of people and a television company that filmed a maternity ward without parents’ consent. These incidents were all reported to the ICO in November 2017, meaning the supervisory authority spent more than a year investigating.
When you consider that alongside the fact that the GDPR can’t be applied retroactively, it’s easy to see why we’re yet to see a fine under the GDPR in the UK. It’s not that organisations have gone unpunished in the past year; it’s that the ICO has been working through breaches that occurred before the Regulation took effect.
With the ICO now concluding investigations into incidents that were reported at the end of April 2018, it’s only a matter of time before the authority moves on to incidents that occurred on and after that landmark 25 May 2018 date.
If the ICO maintains its twelve-month timeframe for investigations, we could see the first GDPR fine in the UK in late May or early June.
Which organisation will be the first to be fined?
Regulatory fines aren’t handed out on a first come, first served basis, so it’s hard to say which UK organisation will enter the GDPR record books. Many people have speculated that the ICO will be looking for a mammoth fine to make other organisations sit up and take note.
A far more likely candidate is Dixons Carphone. The retailer was hit by a cyber attack in July 2017 but the damage wasn’t discovered for almost a year. The ICO commented: “We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the [Data Protection Act] 1998 or [the GDPR].”
Unlike the Dixons Carphone incident, the breach occurred after the GDPR took effect and is a clear violation of the Regulation’s requirements.
Those affected had requested that their personal and health information should be used only for medical purposes. However, the SystmOne application never passed on the request to NHS England’s IT provider, meaning the information was also used for research and auditing purposes.
It’s not a devastating breach in the grand scheme of things, but it’s still a violation of the individuals’ right to object to processing – one that could prove to be a regulatory landmark.
Looking for a fast and affordable route to GDPR compliance?
The organisations that have come under investigation for GDPR violations haven’t failed for a lack of effort. Their shortcomings are more likely a result of the complexity of the Regulation’s requirements, and the cost and disruption of implementing them.
These challenges are particularly tough to overcome for SMEs, which often lack the resources to tackle implementation effectively. Unfortunately, they are also the most likely to suffer from GDPR violations, with a regulatory breach potentially causing ruinous financial and reputational damage.
You can avoid that fate with IT Governance’s GDPR Quick-Comply for SMEs. This bundle is tailored specifically for smaller organisations, providing essential resources, like staff awareness training and a documentation toolkit, to fast-track your implementation project.
This blog has been updated to reflect industry updates. Originally published June 2017.
On 25 May 2018, the EU’s GDPR (General Data Protection Regulation) superseded the UK’s DPA (Data Protection Act) 1998. With the Regulation expanding the definition of personal data, many organisations were uncertain as to what the new definition includes.
The scope of personal data
Let’s start with the circumstances under which the processing of personal data must meet the GDPR’s requirements. This set of circumstances is now broader than under the DPA, with Article 2 of the GDPR stating that the Regulation applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.
What constitutes personal data?
The GDPR’s definition of personal data is also much broader than under the DPA 1998. Article 4 defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that:
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Perhaps the biggest implication of this is that, under certain circumstances, personal data includes online identifiers such as IP addresses and mobile device IDs. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that cannot be attributed to the data subject without some additional information.
The qualifier of ‘certain circumstances’ is important to highlight here, because it’s often the context in which information exists that determines whether it can identify someone. The same issue applied to the DPA 1998, and the ICO uses the example of a person’s name to explain this issue:
By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.
However, it also notes that names are not necessarily required to identify someone:
Simply because you do not know the name of an individual does not mean you cannot identify that individual. Many of us do not know the names of all our neighbours, but we are still able to identify them.
Generally, if you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution. This means not only making sure that data is secure, but also reducing the amount of data you store and ensuring that you don’t store any information for longer than necessary.
DPO as a service (GDPR)
GRCI Law’s DPO as a service enables you to outsource the DPO role to an expert, helping you to comply with your GDPR obligations without losing focus on your core business activities.
Our DPO team has experience advising clients in a wide variety of sectors, including financial institutions, professional services, education, and health and social care, and we can tailor our service to your unique requirements.
Grove’s PECR failure wasn’t for a lack of effort. The organisation hired a data protection consultant for advice, and ran its plan past an independent data protection solicitor.
Unfortunately, the counsel was either wrong or Grove didn’t take it on board. Either way, the ICO pointed out that the organisation was responsible for its own actions.
The ICO’s director of investigations and intelligence, Andy White, said: “Spam email uses people’s personal data unlawfully, filling up their inboxes and promoting products and services which they don’t necessarily want.
“We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it.
“The ICO is here to provide businesses with guidance about electronic marketing and data protection, free of charge. The company could have contacted us and avoided this fine.”
What are the PECR’s consent requirements?
The PECR states that organisations must obtain explicit consent whenever they send unsolicited electronic communications for marketing purposes. Unlike the GDPR (General Data Protection Regulation), the requirements apply even when personal data isn’t being processed.
In this instance, Grove relied on indirect consent. That is to say, it used email addresses provided by people who, in the process of consenting to another organisation’s service, agreed to be contacted by third parties.
However, the ICO’s PECR guidance states that it’s not enough to say that an individual might be contacted by “similar organisations”, “partners” or “selected third parties”.
The request must be from the organisation in question, or a third party that specifically names the organisations that will be given access to individuals’ contact information.
Don’t make the same mistake
As Grove learned to its cost, the PECR can be a minefield to navigate, particularly when you also need to meet the GDPR’s requirements. Any organisation that’s unsure about its compliance status should consider our PECR Audit Service.
With this service, an independent assessor reviews your processes and delivers a detailed report, showing you how to resolve any areas of non-compliance.
In this blog, we explain why the DPA 2018 exists, what it contains and how it relates to the EU GDPR.
Similarities between the DPA 2018 and the EU GDPR
You can think of the DPA 2018 as a UK-specific version of the EU GDPR. It enacts the Regulation’s requirements into UK law, clarifies certain terms, such as ‘controller’ and ‘public authority’, and documents the UK’s position on aspects of the Regulation that member states are free to adjust.
The most prominent of these adjustments is the age at which a data subject is no longer considered a child. The EU GDPR sets this at 16 but allows member states to set the threshold as low as 13, which the UK has done.
This is just one of the reasons that you must read the DPA 2018 and the EU GDPR alongside one another. Doing so enables you to see your overall requirements and the things you must take into account when dealing with UK residents.
Moreover, after Brexit, the EU GDPR will be enacted in UK law under the European Union (Withdrawal) Act 2018. This new regime – the UK GDPR – will ensure that data protection requirements remain as consistent as possible after Brexit.
The course contains eight modules that cover everything you need to know about the DPA 2018. You can study at your own pace, pausing and picking up the content around your schedule. This makes it perfect for anyone who can’t commit to a whole day’s uninterrupted training or who wants the option to repeat tricky topics and skip familiar territory.
This rule applies to any organisation outside the EU that monitors the behaviour of, or provides goods or services to, EU residents.
The representative will be a point of contact for data subjects and supervisory authorities concerning data protection queries. They’ll also keep a record of data processing activities the organisation carries out.
This requirement wasn’t widely discussed in the UK when the GDPR took effect, because it didn’t apply. However – and we hope we’re not breaking news to you here – the UK will soon be leaving the EU, which means a swathe of organisations need to establish EU representatives.
Does this requirement affect all UK organisations?
UK organisations only need to appoint an EU representative if they monitor or provide goods or services to EU residents.
If you deal exclusively with UK-based customers, you therefore won’t be required to appoint an EU representative. That’s because as soon as the UK is no longer in the EU, your customers will cease to be EU residents.
However, if your data processing or monitoring extends to other EU member states, you’ll probably be required to appoint an EU representative. There are two exemptions:
Organisations that have an office and employees based in the EU.
Organisations whose processing activity is occasional, doesn’t include large-scale processing of special categories of data and is unlikely to result in a risk to the rights and freedoms of natural persons (see Article 27 of the GDPR for more information).
These exemptions don’t apply to public authorities, which must always have a DPO.
Selecting your EU representative
Your EU representative can be any natural or legal person who’s based in an EU member state within which you collect personal data.
If you only collect information from data subjects in, say, France, your EU representative must be based in France. However, if you collect personal data from the entirety of the EU, you can appoint a representative from any EU member state.
When you have multiple countries to choose from, it’s best to select the one in which you collect the most data or conduct the most extensive monitoring.
How the Brexit negotiations affect this requirement
UK organisations only need to have an EU representative once the UK is no longer a member of the EU. This was originally set to happen on 29 March 2019, but a delay is almost certain at this point, and that will in turn delay the date at which you need to appoint an EU representative.
But whereas most things Brexit-related remain uncertain, causing organisations to take a wait-and-see approach to business, the requirement for an EU representative is straightforward. The UK will in all likelihood be leaving the EU, whether that’s in a few weeks, months or a year, and at that point you’ll need an EU-based representative.
Appoint your EU representative before Brexit
You can find an EU representative quickly and easily with the help of our sister company GRCI Law.
Led by a team of lawyers, barristers, and information and cyber security experts, GRCI Law can take the strain of GDPR compliance, acting as your EU representative for personal data processing activities.
In the nine months since, you’ve hopefully been able to grips with your compliance requirements. You should have also noticed that compliance isn’t a fixed status. Your organisation, like the cyber threat landscape, is constantly evolving, meaning you should always be considering ways to adjust and strengthen your security and privacy measures.
The compliance solution you choose will obviously depend on what aspect of the GDPR you want support with. In this section, we explain what each product and service entails and who would benefit from it.
Assess your data protection practices, create a clear audit trail and speed up your internal compliance processes with our four-in-one GDPR compliance solution.
This Cloud-based tool includes four modules to help you manage a range of core GDPR aspects on one platform, covering data breach reporting, SARs (subject access requests), gap analyses and monitoring the compliance status of third parties.
Both packages come with three hours of consultancy support from our sister company GRCI Law.
GRCI Law specialises in data protection, data privacy, and cyber and information security law. The team consists of lawyers, barristers and information security specialists.
You can use your consultancy time on any of GRCI Law’s solutions, whether that’s to support your DPO (data protection officer), data breach, DSAR ordata privacy management needs, or for specific legal advice, such as the reviewing and drafting of contracts and advising on international data transfers.