General Data Protection Regulation – 3 months to go
With the GDPR set to come into force on 25 May 2018, Cathrine Ripley looks at the key actions businesses should have taken, or need to take urgently, to be ready in time.
The GDPR will update existing data protection law to align it more closely with modern technology and the privacy issues raised by today’s information society.
It can be described as “evolution rather than revolution” – the new rules build on the current data protection regime but they do introduce a number of significant changes.
The increased levels of fines which can be imposed for data breaches after the GDPR comes into force have generated most publicity (up to €20 million/4% of global turnover) but the other key changes include:
- New rules where an organisation relies on data subject consent to process personal data.
- Increased obligations for data processors.
- New requirements for data processing contracts.
- New rights for data subjects (including a “right to be forgotten” and a right to object to profiling and other automated decision making).
The Information Commissioner’s website has a lot of useful information on the GDPR but making sense of all the requirements and deciding what to implement (and how) can seem daunting.
Making a Start
Every organisation processes personal data to some extent and the GDPR introduces a new accountability requirement. Article 5(2) provides that “the data controller shall be responsible for, and be able to demonstrate compliance with,” the key GDPR principles. So it is clear that doing nothing is not an option.
The first step is to recognise that GDPR requires a resource commitment. Data protection touches every area of an organisation so a GDPR team should be formed with representatives from operations, IT, finance and HR. It is likely you will need some legal input too.
You cannot make changes to comply with GDPR until you have a full understanding of the organisation’s current position from a privacy perspective. We therefore recommend you begin by undertaking an internal audit to access (amongst other things):
- What personal data you process?
- Do you hold special category (i.e. sensitive) personal data?
- Where does the data come from?
- Your legal basis for processing data
- Where is the data held and for how long?
- Who is the data shared with and why?
- How is the data kept secure?
- Whether the data is transferred outside the EEA (European Economic Area)
- What procedures you have in place for reporting data breaches and dealing with data subject access requests?
You will then need to review the audit results and decide what changes you need to make (this is a point where legal advice can be useful). The next steps will include some or all of the following:
1. Implement changes (which may include refreshing consents).
2. Consider whether you need to make changes to your IT (in particular to meet the requirements of the new rights of data subjects and to ensure your data is sufficiently secure).
3. Update documentation (for example privacy notices, data protection policy, T&C and contracts for data processing).
4. Consider appointing a data protection officer.
5. Train your staff.
6. Keep proper records of your actions to meet the GDPR’s accountability requirement.
7. Review at regular intervals, e.g. every 6 or 12 months.