The clock is ticking and with only 14 months before the GDPR is enforced is your business ready to ensure they are compliant?
Vanessa Cozens, CEO of The GDPR Clinic
The Europeans General Data Protection Regulation (GDPR) is due to be enforced from May 2018 and the UK’s exit from the EU does not mean you do not need to comply. If you provide a service within the EU or the UK that involves processing the personal data of EU citizens, then you will be legally obliged to comply.
The GDPR is the biggest change to happen to data protection in more than 20 years since the UK’s Data Protection Act and will enhance the protection of individual’s data. Non-compliance comes with severe penalties and companies could face fines for up to €20m or 4% of annual global turnover – whichever is greatest.
The major changes to any organisation gathering, holding, processing or gathering personal data, even something as simple as an email address, it that both internal and external partners are equally responsible. So if you use 3rd parties in any form, then you need to be sure that they are also compliant.
The legal framework and clauses contained in the regulations and acts are very clear on what constitutes personal data, and very stringent on reporting breaches, it is no longer legal to brush breaches under the carpet and hope no one notices.
So, what steps can you take now to start getting ready
- Get buy in from your key business personnel and ensure that they are aware of the new legislation and what impact it is likely to have on the business.
- Document what personal data you currently hold, what its original purpose was and who you have shared it with.
- If you hold inaccurate data, this needs to be rectified and if you have shared this data with other organisations you will need to inform them so they can amend their records too.
- Review your privacy notices and make any necessary changes to comply with GDPR, currently you are required to give people information about how you intend to use their information but under GDPR you will need to explain the legal basis for processing the data, length of retention and who the data may be shared with. This needs to be presented in a concise easy to understand format.
- Ensure you have a clear policy stating the period of time that data will be held and a procedure for how that data will be deleted at the end of that time period.
- Individuals have the right to access the data that you hold about them and to have information corrected or erased (the right to be forgotten) and the GDPR has imposed shorter timeframes for making this information available to data subjects and have also removed the charge to individuals for making this request. It is therefore essential that you have a procedure in place to deal with subject access requests in a timely manner.
- Make sure you understand the legal basis for processing the data you collect, you will need to be able to explain this in your privacy notice. Data subjects will have greater rights to having their data deleted if you use consent as the legal basis.
- Consent needs to be a positive indication of agreement to the processing of personal data. Review how you currently obtain and record consent and ensure that the system you have in place will be GDPR compliant. It will no longer be acceptable for consent to be inferred from silence or pre-ticked boxes.
- Make sure you have procedures in place to detect, report and investigate a personal data breach.
- Data Protection Impact Assessments (DPIA’s) – assesses which processes in your business it will be necessary to conduct a DPIA and decide how these will be managed and who will be responsible for conducting them. Here is a link to a useful guide from the ICO – ICO Guidance for PIA’s.
- If required, you should designate a Data Protection Officer (DPO) or someone to take responsibility for the data protection compliance within your organisation. The GDPR does not require all organisations to appoint a designated DPO but in all cases, it is important that someone has ownership and responsibility for managing your data protection compliance. It will be important this person has the full support from the business to do this effectively. This role can be in-house or contracted to an external consultant.
- If you are an international business you need to determine which data protection supervisory authority you come under. If you are not sure, then the ICO will be able to offer you some guidance.
Many of these things could be time consuming, and may require you to implement training programmes, change procedures and policies. For many organisations these steps will be necessary, and to meet the deadline you will need help.
Please note that this post is not meant to be an exhaustive list of everything that needs to be done, or legal advice to become GDPR compliant. It is an overview on some on the main points that businesses should be reviewing in their journey towards ensuring compliance before the deadline.