General Data Protection Regulation (GDPR) - Gap Analysis
General Data Protection Regulation (GDPR) - Gap Analysis
New regulation requirement / Any significant / What work is required / Team/Dept/ / Ownerchanges? / System
1. / Data Protection Principles / No / 1. Review current Data Protection
policies, codes of conduct and training
The Data Protection Act / to ensure these are consistent with the
principles are revised down to 6 / revised principles.
but are broadly similar to the
current principles: / 2. Undertake an information audit to
understand what data is held, where it
/ fairness, lawfulness and / is held, in what format it is held, where
transparency / it is obtained from, basis for holding it
/ purpose limitation; / (consent/legal basis).
data minimisation
/ data quality / 3. Identify means to “demonstrate / security / compliance” i.e. How we are meeting
/ integrity and confidentiality / the requirements, following codes of
conduct as they are issued, paper trails
A new accountability principle / of decisions relating to data processing
and, where appropriate, privacy impact
makes Data Controllers
assessments.
responsible for demonstrating
compliance with the Data
Protection principles.
Page 1 of 17
New regulation requirement / Any significant / What work is required / Team/Dept/ / Ownerchanges? / System
2. Lawfulness of / Yes / 1. Ensure we are clear about the grounds
processing/further / Consent is more / for lawful processing: check these will
processing / still be applicable under the GDPR.
restrictive.
The grounds for processing / 6(1)(f ) Necessary for / 2. Review information sharing
personal data under the GDPR / agreements for any that rely on
are broadly the same as now. / the purposes of / legitimate interests and amend, to
legitimate interests / show either proper legislative basis or
However, there are new / This ground can / no / consent.
limitations on the use of consent / longer / be relied on by
and the processing of children’s / public authorities / 3. Where relying on consent, ensure
data (see sections 3 and 4 / processing personal / quality of consent meets new
below). / data in the exercise of / requirements i.e. clear, unambiguous,
their functions. / and properly recorded.
There are specific restrictions on
the ability to rely on “legitimate / 4. Consider whether new rules on
interests” as a basis for / children’s data are likely to affect us
processing and some clarification / (more under point 4)
as to when this may be used.
5. Ensure that internal governance
There is a non-exhaustive list of / processes will enable the Trust to
factors to be taken into account / demonstrate how decisions to use data
when determining whether the / for further processing purposes have
processing of data for a new / been reached, and that all relevant
purpose is incompatible with the / factors have been considered.
purposes for which the data was
initially collected.
Page 2 of 17
New regulation requirement / Any significant / What work is required / Team/Dept/ / Ownerchanges? / System
3. Consent / Yes / Complete review of the consent process.
Consent is subject to additional / Need to be sure where we are relying on
Article 4(8) new GDPR / consent as the basis for lawful
conditions under the new GDPR. / defines “the data / processing, that:
There is an effective / subject’s consent” as / consent is active, and does not rely
“any freely given,
prohibition on consents and / specific, informed and / on silence, inactivity or pre-ticked
the offering of services which / unambiguous indication / boxes;
are contingent on consent to / of his or her wishes by / consent to processing is
processing. / which the data subject,
distinguishable, clear, and is not
either by a statement or
Consent must also now be / “bundled” with other written
by a clear affirmative
agreements or declarations;
separable from other written / action, which signifies
agreements, clearly / agreement to personal / supply of services cannot be made
presented and as easily / data relating to them / contingent on consent to processing
revoked as given. / being processed”. / which is not necessary for the service
Recital 25 suggests that / being supplied;
data subjects are informed that they
this may be signified by:
“ticking a box when / have the right to withdraw consent at
visiting a… website, / any time, but that this will not affect
choosing technical / the lawfulness of processing based
settings… or by any / on consent before its withdrawal;
other statement or / there are simple methods for
conduct which clearly
withdrawing consent, including
indicates… the data
methods using the same medium
subject’s acceptance of
used to obtain consent in the first
the proposed
place;
processing of their
Page 3 of 17
personal data. Silence,
pre-ticked boxes or
inactivity should
therefore not constitute
consent.”
Explicit consent is still
required to justify the
processing of
sensitive/special
categories of personal
data, unless other
legislative conditions
(including provision of
care where consent is
implied/life or death etc)
apply.
separate consents are obtained for distinct processing operations; and
the organisation does not rely on consent where there is a clear imbalance between the data subject and the controller (especially if the controller is a public authority).
Need to look at how consent is captured and stored. How can users withdraw consent and for this to be actioned within systems
Page 4 of 17
New regulation requirement / Any significant / What work is required / Team/Dept/ / Ownerchanges? / System
4. Children / The current Act does / 1. This is likely only to affect us if we are
There are a handful of child- / not contain any specific / offering what the new act describes as
restrictions on / “information society services directly to
specific provisions in the new / processing children’s / children”. I would read this as social
GDPR, particularly in relation to / data, and rules on / media type services, although this
grounds for processing and / children’s ability to / definition could be expanded.
notices. / consent have been
Children are identified as / drawn from national / 2. We will just need to assess which
laws. / national rules will apply in terms of age
“vulnerable individuals” and / and ensure that appropriate parental
deserving of “specific protection”. / The major provision in / consent mechanisms are implemented,
The GDPR does not prescribe / relation to children is / including verification processes.
Article 8, which requires
the age at which a person is / parental consent to be / 3. Keep a watching brief of national
considered to be a child. / obtained for / information / legislation for offline data processing
Where online services are / society services offered / relating to children’s data.
directly to a child under
provided to a child and consent is / the age of 16 – / 4. Where services are offered directly to a
relied on as the basis for the / although this ceiling can
child, ensure notices are drafted clearly
lawful processing of his or her / be set as low as 13 by a
with a child’s understanding in mind.
data, consent must be given or / Member State, and only
authorised by a person with / applies where the
parental responsibility for the / processing would be
child. This requirement applies to / based on the child’s
children under the age of 16 / consent.
(unless the Member State has
made provision for a lower age / The controller is also
limit - which may be no lower / required, under Article
than 13). / 8(1a) GDPR,
Page 5 of 17
to make “reasonable
efforts” to verify that
consent has been given
or authorised by the
holder of parental
responsibility in light of
available technology.
This only affects certain
online data – offline
data will continue to
remain subject to usual
Member State rules on
capacity to consent.
Article 8(1) is also not to
be considered as
affecting the general
contract law of Member
States regarding the
validity, formation or
effect of a contract with
a child.
Organisations will still
need to consider local
laws in this area
Page 6 of 17
New regulation requirement / Any significant / What work is required / Team/Dept/ / Ownerchanges? / System
5. Sensitive data and lawful / Genetic data (new); and / 1. Ensure we have clarity about the
processing / biometric data where / grounds relied on when processing
“Special categories of personal / processed to uniquely / sensitive/special categories of data,
identify a person (new). / and check these grounds will still be
data” now expressly include
applicable (possibly drawn out through
“genetic data” and “biometric
Interestingly, data / Info Audit).
data” where processed “to
relating to criminal
uniquely identify a person”.
convictions and / 2. Where relying on consent, ensure the
The grounds for processing / offences are not / quality of consent meets new
categorised as / requirements in relation to the
sensitive data under the GDPR
“sensitive” for the / collection of consent (see section 3
broadly replicate those under the
purposes of GDPR. / above)
current Act, although there are
The rules under the
wider grounds in the area of
GDPR in relation to / 3. Consider whether rules on children are
health and healthcare
data concerning / likely to affect us, (see section 4
management.
criminal convictions and / above).
There is also a broad ability for / offences provides that
such data may be / 4. If we process substantial amounts of
Member States to adduce new
processed only under / genetic, biometric or health data,
conditions (including limitations)
the control of official / ensure we keep up-to-date on national
regarding the processing of
authority or where the / developments as Member States have
genetic, biometric or health data.
processing is / a broad rights to impose further
authorised by Union law / conditions - including restrictions - on
or Member State law / the grounds set out in the GDPR.
that provides adequate
safeguards.
Page 7 of 17
New regulation requirement / Any significant / What work is required / Team/Dept/ / Ownerchanges? / System
6. / Privacy Notices / No – it formalises really / 1. Audit existing privacy notices, review
Controllers must provide / what we should always / and update them. Look at the ICO
have had. / guidance on this.
information notices, to ensure
transparency of processing. / The principle of “fair / 2. For data which is collected indirectly,
/ Specified information must be / and transparent” / ensure that a notice is given at the
processing means that / appropriate time i.e. websites
provided, and there is also a / the controller must
general transparency / provide information to / 3. Work with relevant partners who may
obligation. / individuals about its / collect data on our behalf to assign
/ processing of their data, / responsibility for notice review, update
Much of the additional / unless the individual / and approval.
information will not be difficult / already has this. The
to supply – although it may / controller may also
be hard for organisations to / have to provide
provide retention periods / additional information if,
in the specific
/ There is an emphasis on / circumstances, this is
clear, concise notices. / necessary for the
processing to be fair
and transparent.
The information must
be provided in a
concise, transparent,
intelligible and easily
accessible way, using
clear and plain
language.
Page 8 of 17
New regulation requirement / Any significant / What work is required / Team/Dept/ / Owner
changes? / System
7. Subject access, / We need to provide / 1. Review the organisation’s processes,
rectification and portability / confirmation whether / procedures and training - are they
his/her personal data / sufficient to understand the SAR rights
Data controllers must, on request: / are being processed; / as this will impact on time and
confirm if they process an / • to access the data (i.e. / compliance.
individual’s personal data; / to have a copy); and
provide a copy of the data (in / • to be provided with / 2. Develop template response letters, to
commonly used electronic / supplemental / ensure that all elements of supporting
form in many cases); and / information about the / information are provided i.e. covering
provide supporting (and / processing. / the detailed supporting information.
detailed) explanatory / As with all data subject / 3. Can we provide data in a portable
materials.
rights, the controller / format (CSV etc). It may be necessary
Data subjects can also demand / must comply “without / to develop formatting capabilities to
that their personal data be ported / undue delay” and “at / meet access requests.
to them or a new provider in / the latest within one
machine readable format if the / month”, although there / 4. Consider if the data relates to more
data in question was: / are some possibilities to / than one data subject and how to
extend this. / address the difficulties this raises
1) provided by the data subject / The controller must also / 5. Consider developing data subject
to the controller;
2) is processed automatically; / use reasonable means / access portals, to allow direct exercise
3) is processed based on consent / to verify the identity of / of subject access rights.
or fulfilment of a contract. / the person making the
request – but must not / 6. Ensure that the function is adequately
The request must be met within / keep or collect data just / resourced and able to meet the 1
one month (with extensions for / so as to be able to meet / month response timescale.
some cases) and any intention / subject access
not to comply must be explained / requests.
Page 9 of 17
to the individual. / These points areparticularly pertinent to
Access rights are intended to / online services.
allow individuals to check
lawfulness of processing and the / No £10 charge.
right to a copy should not
adversely affect the rights of
others.
Page 10 of 17
New regulation requirement / Any significant / What work is required / Team/Dept/ / Ownerchanges? / System
8. / Right to object / No / 1. Audit privacy notices and policies to
ensure that individuals are told about
There are rights for individuals to / their right to object, clearly and
object to specific types of / separately, at the point of ‘first
processing: / communication’.
/ Direct marketing; / 2. For online services, ensure there is an
/ Processing based on
legitimate interests or / automated way for this to be effected.
performance of a task in the / 3. Review marketing suppression lists
public interest/exercise of
official authority; and / and processes (including those
Processing for research or / operated on behalf of the organisation
statistical purposes. / by partners and service providers) to
ensure they are capable of operating in
Only the right to object to direct / compliance with the GDPR.
marketing is absolute (i.e. no
need to demonstrate grounds for
objecting, no exemptions which
allow processing to continue).
There are obligations to notify
individuals of these rights at an
early stage - clearly and
separately from other information.
Online services must offer an
automated method of objecting.
Page 11 of 17
New regulation requirement / Any significant / What work is required / Team/Dept/ / Ownerchanges? / System
9. Right to erasure and / Yes / 1. Ensure that members of staff and
restrict processing / suppliers who may receive data
More extensive, and unclear, / erasure requests recognise them and
know how to deal with them.
rights are introduced: a right to be
forgotten (now called erasure) / 2. Determine if systems are able to meet
and for processing to be
the requirements to mark data as
restricted. Individuals can require
restricted whilst complaints are
data to be ‘erased’ when there is
resolved, or indeed to delete data is
a problem with the underlying
required.
legality of the processing or
where they withdraw consent.
The individual can require the
controller to ‘restrict’ processing
of the data whilst complaints (for
example, about accuracy) are
resolved, or if the processing is
unlawful but the individual objects
to erasure.
Controllers who have made data
public which is then subject to a
right to erasure request, are
required to notify others who are
processing that data with details
of the request. This is a new
wide-ranging and challenging
obligation
Page 12 of 17
New regulation requirement / Any significant / What work is required / Team/Dept/ / Ownerchanges? / System
10. Governance obligations / Yes / 1. The organisation needs to assign
The GDPR requires all / responsibility and budget for data
protection compliance.
organisations to implement a
wide range of measures to / 2. Organisation needs to appoint a DPO
reduce the risk of their breaching / and to make arrangements for
the GDPR and to prove that they / reporting structures. i.e. the need for
take data governance seriously. / the DPO to be autonomous, how this
These include accountability / sits with other workloads etc.
measures such as: Privacy / 3. Supervisory authorities will expect a
Impact Assessments, audits, / line direct to the board/senior mgt and
policy reviews, activity records / the job specification for those
and appointing a data protection / designated with DPO responsibilities
officer a (“DPO”). / will need to be created.
For those organisations which / 4. The DPO will need to ensure that a full
have not previously designated / compliance programme is designed
responsibility and budget for data / incorporating features such as: Privacy
protection compliance, these / Impact Assessments, regular DP
requirements will impose a heavy / audits, policy reviews and updates,
burden. / and training and awareness raising
programmes.
5. Audit existing supplier arrangements
and update template RFQ’s and
procurement contracts to reflect the
GDPR’s data processor obligations.
Page 13 of 17
- Monitor the publication of supervisory authorities / EC and industry published supplier terms and codes of practice to see if they are suitable for use by the organisation.
Page 14 of 17