You should organise an information audit across your business or within particular business areas. One person with in-depth knowledge of your working practices may be able to do this. This will identify the data that you process and how it flows into, through and out of your business. Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site).

Once you have completed your information audit, you should document your findings, for example in an information asset register. Doing this will also help you to comply with the GDPR’s accountability principle, which requires your business to be able to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff. If you have less than 250 employees then you must keep records of any processing activities that: * are not occasional; * could result in a risk to the rights and freedoms of individuals; or * involve the processing of special categories of data or criminal conviction and offence data. If you have over 250 employees, you must record the following information: * name and details of your business (and where applicable, of other controllers, your representative and data protection officer); * purposes of the processing; * description of the categories of individuals and categories of personal data; * categories of recipients of personal data; * where applicable, details of transfers to third countries including documentation of the transfer mechanism safeguards in place; * retention schedules; and * a general description of technical and organisational security measures. You may be required to make these records available to the ICO on request.

You need to identify lawful bases before you can process personal data and special categories of data. Your lawful bases for processing have an effect on individual’s rights. For example, if you rely on someone’s consent to process their data, they will have a stronger right to have their data deleted. It is important that you let individuals know how you intend to process their personal data and what your lawful bases are for doing so, for example in your privacy notice(s). See the table at the link below for further information on this. Guide to the GDPR - Lawful bases for processing

The GDPR sets a high standard for consent but remember you don’t always need consent. You should also assess whether another lawful bases is more appropriate. Consent means offering people genuine choice and control over how you use their data. You can build trust and enhance your business by using consent properly. The GDPR builds on the DPA standard of consent in several areas and contains much more detail: * Keep your consent requests separate from other terms and conditions. * Consent requires a positive opt-in. Use unticked opt-in boxes or similar active opt-in methods. * Avoid making consent a precondition of service. * Be specific and granular. Allow individuals to consent separately to different types of processing wherever appropriate. * Name your business and any specific third party organisations who will rely on this consent. * Keep records of what an individual has consented to, including what you told them, and when and how they consented. * Tell individuals they can withdraw consent at any time and how to do this.

Your obligations don’t end when you first get consent. You should continue to review consent as part of your ongoing relationship with individuals, not a one-off compliance box to tick and file away. Keep consent under review, and refresh it if anything changes. You should have a system or process to capture these reviews and record any changes. If your current consent doesn’t meet the GDPR’s high standards or is poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.

If you offer online services to children and you rely upon consent, only a child aged 13 or over will be able to provide their own consent. You will therefore need to make reasonable efforts to verify that anyone giving their own consent is old enough to do so. For children under 13 you will need to get consent from whoever holds parental responsibility for the child - unless the online services you offer are for prevention or counselling. You must make reasonable efforts (using available technology) to verify that the person giving such consent does, in fact, hold parental responsibility for the child.

Until May 2018, you are still required to register with the ICO (unless an exemption applies). After May 2018 you need to pay the ICO a data protection fee.

Individuals need to know that their data is collected, why it is processed and who it is shared with. You should publish this information in your privacy notice on your website and within any forms or letters you send to individuals. The information must be: * concise, transparent, intelligible and easily accessible; * written in clear and plain language, particularly if addressed to a child; and * free of charge. The information you supply is determined by whether or not you obtained the personal data directly from the individual or from a third party. See the table at the link below for further information on this. Guide to the GDPR - Right to be informed

You must provide children with the same fair processing information as you give adults. It will be good practice to also explain the risks involved in the processing and the safeguards you have put in place. Any information directed at the child should be concise, clear, and written in plain language. It should be age-appropriate and presented in a way that appeals to a young audience. If you are relying upon parental consent as your lawful bases for processing it will be good practice to provide separate privacy notices aimed at both the child and the responsible adult. If you provide online services and children younger than your target age range are likely to try and access it then it will be good practice to explain any age limit to them in language they will understand.

Individuals have the right to obtain: * confirmation that their data is being processed; * access to their personal data; and * other supplementary information – this largely corresponds to the information that you should be provide in a privacy notice. You should provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request: * is manifestly unfounded or excessive, particularly if it is repetitive, unless you refuse to respond; or * is for further copies of the same information (that’s previously been provided). This does not mean that you can charge for all subsequent access requests. The fee must be based on the administrative cost of providing the information. You will have less time to comply with a subject access request under the GDPR. Information must be provided without delay and at least within one calendar month of receipt. You can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February). This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month. You must verify the identity of the person making the request, using “reasonable means”. If the request is made electronically, you should provide the information in a commonly used electronic format.

Individuals have the right to have personal data rectified if it is inaccurate or incomplete. You should respond to a request without delay and at least within one month of receipt. You can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). If you have disclosed the personal data to a data processor (third party) you must inform them of the rectification where possible. You should regularly review the information you process or store to identify when you need to do things like correct inaccurate records. Records management policies, with rules for creating and keeping records (including emails) can help. Conducting regular data quality reviews of systems and manual records you hold will help to ensure the information continues to be adequate for the purposes of processing (for which it was collected). You should also ensure that there are regular data quality checks completed to provide assurances on the accuracy of the data being inputted by staff. If you identify any data accuracy issues, communicate lessons learned to staff through ongoing awareness campaigns and internal training.

Individuals have the right to be forgotten and can request the erasure of personal data when: * it is no longer necessary in relation to the purpose for which it was originally collected/processed; * the individual withdraws consent; * the individual objects to the processing and there is no overriding legitimate interest for continuing the processing; * it was unlawfully processed (ie otherwise in breach of the GDPR); * it has to be erased in order to comply with a legal obligation; or * it is processed in relation to the offer of information society services to a child. You can refuse to comply with a request for erasure where the personal data is processed for the following reasons: * to exercise the right of freedom of expression and information; * to comply with a legal obligation for the performance of a public interest task or exercise of official authority; * for public health purposes in the public interest; * archiving purposes in the public interest, scientific research historical research or statistical purposes; or * the exercise or defence of legal claims. A written retention policy or schedule will remind you when to dispose of various categories of data, and help you plan for its secure disposal. You should regularly review your retention schedule to make sure it continues to meet business and statutory requirements and any amendments should be agreed with managers and incorporated into the new schedule. You should designate responsibility for retention and disposal to an appropriate person.

Individuals have a right to block or restrict the processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future. You will be required to restrict the processing of personal data in the following circumstances: * Where an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data. * Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your businesses legitimate grounds override those of the individual. * When processing is unlawful and the individual opposes erasure and requests restriction instead. * If you no longer need the personal data but the individual requires the data to be retained to allow them to establish, exercise or defend a legal claim. You may need to review procedures to ensure you are able to determine where you may be required to restrict the processing of personal data. If you have disclosed the personal data in question to third parties, you must inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so. You must inform individuals when you decide to lift a restriction on processing.

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. They can receive personal data or move, copy or transfer that data from one business to another in a safe and secure way, without hindrance. The right to data portability only applies: * to personal data an individual has provided to a controller; * where the processing is based on the individual’s consent or for the performance of a contract; and * where the processing is carried out by automated means. Information must be provided without delay and at least within one month of receipt. You can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). You must provide the personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files. You must provide the information free of charge. If the individual requests it, you may be required to transmit the data directly to another business where this is technically feasible.

Individuals have the right to object to: * processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); and * processing for purposes of scientific/historical research and statistics. Individuals must have an objection on “grounds relating to his or her particular situation”. However for processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority or for purposes of scientific/historical research and statistics you must stop processing the personal data unless: * you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or * the processing is for the establishment, exercise or defence of legal claims. Individuals also have the right to object to any processing undertaken for the purposes of direct marketing (including profiling). You must stop processing for direct marketing as soon as you receive an objection. There are no exemptions or grounds to refuse. You must inform individuals of their right to object “at the point of first communication” and clearly lay this out in your privacy notice.

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Individuals have the right not to be subject to a decision when: * it is based on automated processing; and * it produces a legal effect or similarly significant effect on the individual. The right does not apply if the decision: * is necessary for entering into or performance of a contract between you and the individual; * is authorised by law (eg for the purposes of fraud or tax evasion prevention); or * is based on the individual’s explicit consent, and your business has put in place suitable measures to safeguard the individual’s rights, freedoms and legitimate interests. If suitable measures to safeguard the rights of data subjects are required, these must include at least: * obtain human intervention; * express their point of view; * obtain and explanation of the decision and challenge it. The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their: * performance at work; * economic situation; * health; * personal preferences; * reliability; * behaviour; * location; or * movements. If the decision involves the processing of special categories of personal data then the exceptions available to justify the processing are more limited. Processing can only take place if: * you have the explicit consent of the individual and suitable measures to safeguard their rights, freedoms and legitimate interests are in place; or * the processing is necessary for reasons of substantial public interest, proportionate to the aim pursued. You should exercise particular caution if using automated decision making in relation to a child.

The GDPR requires you to show how you comply with the principles. A policy will help you address data protection in a consistent manner and demonstrate accountability under the GDPR. This can be a standalone policy statement or part of a general staff policy. The policy should clearly set out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance. The policy should be approved by management, published and communicated to all staff. You should also review and update the policy at planned intervals or when required to ensure it remains relevant.

You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required. Specialist training for staff with specific duties, such as, information security and database management and marketing, should also be considered. The regular communication of key messages is equally important to help reinforce training and maintain awareness (for example intranet articles, circulars, team briefings and posters).

Whenever you use a processor you need to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out what needs to be included in the contract. In the future, standard contractual clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However at the moment no standard clauses have been drafted. You are liable for your processor’s compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. In the future, using a processor that adheres to an approved code of conduct or certification scheme may help you to satisfy this requirement – though again, no such schemes are currently available. Processors must only act on your documented instructions. They will however have some direct responsibilities under the GDPR and may be subject to sanctions if they don’t comply.

You should set out how you (and any of your data processors) manage information risk. You need to have a senior staff member with responsibility for managing information risks, coordinating procedures put in place to mitigate them and for logging and risk assessing information assets. Where you have identified information risks, you should have appropriate action plans in place to mitigate any risks that are not tolerated or terminated.

Under the GDPR, you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated data protection into your processing activities. Under the GDPR, this is referred to as data protection by design and by default. You should adopt internal policies and implement measures which help your organisation comply with the data protection principles – this could include data minimisation, pseudonymisation and transparency measures.

DPIAs help you to identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow you to identify and fix problems at an early stage, reducing the associated costs and damage to your reputation which might otherwise occur. You must carry out a DPIA when: * using new technologies; and * when the processing is likely to result in a high risk to the rights and freedoms of individuals. Processing that is likely to result in a high risk includes but is not limited to: * systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals; * large scale processing of special categories of data or personal data relation to criminal convictions or offences; and * large scale systematic monitoring of public areas. The DPIA should contain the following information: * a description of the processing operations and the purposes including, where applicable, the legitimate interests pursued by your business; * an assessment of the necessity and proportionality of the processing in relation to the purpose; * an assessment of the risks to individuals; and * controls that you put in place to address any risks you’ve identified (including security).

A DPIA can address multiple processing operations that are similar in terms of the risks, provided adequate consideration is given to the specific nature, scope, context and purposes of the processing. You should start to assess the situations where it will be necessary to conduct one: * Who will do it? * Who else needs to be involved? * Will the process be run centrally or locally? If the processing is wholly or partly performed by a data processor, then that processor must assist you in carrying out the DPIA. It may also be appropriate to seek the views of data subjects in certain circumstances.

It is important to make sure that someone in your business, or an external data protection advisor, takes responsibility for data protection compliance. You may need to appoint a DPO. Any business can appoint a DPO but you must do so if you: * are a public authority (expect for courts acting in the judicial capacity); * carry out large scale systematic monitoring of individuals (eg online behaviour tracking); or * carry out large scale processing of special categories of data or data relating to criminal convictions and offences. The DPO should work independently, report to the highest management level and have adequate resources to enable your organisation meet its GDPR obligations. The DPO’s minimum tasks are to: * inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws. * monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits. * be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

You should make sure that decision makers and key people in your business are aware of the requirements under the GDPR. Decision makers and key people should lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture, within your business, for data protection. They should take the lead when assessing any impacts to your business and encourage a privacy by design approach. They should help to drive awareness amongst all staff regarding the importance of exercising good data protection practices.

You should process personal data in a manner that ensures appropriate security. Before you can decide what level of security is right for you, you will need to assess the risks to the personal data you hold and choose security measures that are appropriate to your needs. Keeping your IT systems safe and secure can be a complex task and does require time, resource and (potentially) specialist expertise. If you are processing personal data within your IT system(s) you need to recognise the risks involved and take appropriate technical measures to secure the data. The measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have. A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures that you will be implementing and the roles and responsibilities staff have in relation to keeping information secure.

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.

The GDPR introduces a duty on all organisations to report certain types of personal data breaches to the ICO and, in some cases, to the individuals affected. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly and without undue delay. In all cases you must maintain records of personal data breaches, whether or not they were notifiable to the ICO. A notifiable breach has to be reported to the ICO within 72 hours of the business becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide additional information in phases. You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data. You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place.