The General Data Protection Regulation (GDPR) will apply from 25 May 2018 so, if you haven’t already, you'll need to start preparing for it now.
It is essential to understand the possible implications for GDPR compliance and have a plan in place because you may need to review your approach to governance and how you manage data protection as a corporate issue. The GDPR focuses its’ attention on the documentation which data controllers must keep to demonstrate their accountability.
If you are already complying with the current Data Protection Act (DPA), then most of your approach to compliance will remain valid under the GDPR. However, there are a few new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
To make sure that you comply, here are 12 steps to help your business prepare for the the EU GDPR:
Step 1: Raise awareness. Make sure that key players in your organisation are aware that the laws of data protection are changing. Ensuring that your business is compliant with the GDPR could have significant resource implications. If left to the last minute, you may find it difficult to prepare for in a limited amount of time.
Step 2: Document everything. The personal data you hold, where it came from and who it's shared it with will need to be documented. The GDPR requires you to maintain records of your processing activities. This may mean that you’ll need to organise an information audit across the organisation or within particular business areas.
Step 3: Review current privacy notices. Under the existing Data Protection Act (DPA), businesses provide information such as identity and intent of use when collecting personal data. This is usually done through a privacy notice. However, under the GDPR there are some additional details which you will need to share in a concise, easy to understand and clear language. For example, you’ll need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they have a problem with the way that you’re handling their data.
Step 4: Check your rights for individuals. By checking the procedures which you already have in place, you’ll ensure that they cover all the rights individuals have.
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling
Generally the rights individuals have under the GDPR are the same as those under the DPA, they just have some significant enhancements.
However, the right to data portability is a new one which applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means
Step 5: Review & update request procedures. To take in to account the new rules, you should update your procedures and plan how you will handle requests going forward:
- In most cases you will not be able to charge for complying with a request
- You will have one month to comply, rather than the current 40 days
- You can refuse or charge for requests that are manifestly unfounded or excessive
- If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
Step 6: Identify, document & explain lawful basis. Under the GDPR some individuals’ rights will be modified depending on your lawful basis for processing their personal data. And when it comes to processing personal data in your privacy notice or when you answer a subject answer request, you will also have to explain and document your lawful basis. These conditions are broadly the same as those in the DPA so, as long as you are following this, you should be OK.
Step 7: Refresh existing consents. If you are using consent as a basis for processing and your existing consents do not meet the GDPR standard, you need to review how you seek, record and manage consent as soon as possible.
If you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If you would like to find out more, refer to the ICO’s consent at a glance.
Step 8: Protect the data of children. You’ll need to think about if systems are in place to verify ages or obtaining parental / guardian consent because for the first time, the GDPR will bring in special protection for children’s personal data. If the child is under the age of 16, you’ll need to get consent from a person holding ‘parental responsibility’. This move focuses particularly in the context of commercial internet services such as social networking.
Step 9: Detect, report & investigate breach of personal data. You should put procedures in place to effectively detect, report and investigate a personal data breach. The GDPR will be introducing a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You will only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals.
Where there is a risk that personal data could be breached, it is worth ensuring that your business meets the GDPR data security requirements too. This can not only lead to GDPR compliance but also an enhanced security posture and even business enablement benefits.
Step 10: Adopt an approach to privacy & data protection. Previously viewed as an advisory, the GDPR has now made the approach to privacy and data protection an express legal requirement, under the term ‘data protection by design and by default’.
A Data Protection Impact Assessment (DPIA) is required in situations where data processing is likely to result in high risk to individuals; profiling new tech, profiling operation is likely to significantly affect individuals; or where there is processing on a large scale of the special categories of data.
Step 11: Designate a Data Protection Officer (DPO). You must designate a DPO if you are:
- a public authority (except for courts acting in their judicial capacity);
- an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
- an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.
It’s important that either someone in your organisation, or an external data protection advisor, takes responsibility for your data protection compliance. By designating a Data Protection Officer (DPO), they'll be on hand to help the 'Controllers' and 'Processors' comply with data protection law and avoid the increasing risks when processing personal data.
Step 12: Determine your lead authority. This is only relevant when you trade internationally, but if this applies to your organisation, you should map out where your organisation makes its most significant decisions about its processing activities. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority so a lead data protection supervisory is allocated.
Let us help you
By registering your interest, we'll be equipped to help answer any questions you may have about the GDPR and provide further information about how it will affect your business