Many large organisations will have already taken on board the implications of the new General Data Protection Regulation (GDPR) but the majority of SMEs are yet to learn about the new legislation and understand its impact on their business.
GDPR represents the biggest shake-up in data protection legislation for decades - bringing new responsibilities, roles and the potential for heavy fines for non-compliance or breach.
This new legislation aims to create conformity across the EU and is automatically effective in EU member states and - irrespective of Brexit - we in the UK need to comply.
Adopted back in April 2016, GDPR will replace the Data Protection Act (DPA) of 1998 and be effective from May 2018.
If your business already complies with the Data Protection Act your approach to compliance should remain largely valid under the GDPR and is certainly a good place to start from.
Over the next few months the Information Commissioner’s Office (ICO) is planning to issue new guidance and tools to assist businesses in meeting the new requirements, however, it is generally considered good practice that you begin your compliance activity as early as possible and in particular, by reviewing the GDPR’s new transparency and individuals’ rights provisions.
The ICO has produced a helpful twelve step approach to preparing for GDPR.
Here are some of the key points from their documents:
Use GDPR’s two-year lead-in period to raise awareness and update your risk register accordingly.
Document what personal data you hold, where it came from and who you share it with. Post GDPR if you have inaccurate data and share this with another organisation you will have to tell the other organisation about the inaccuracy so it can correct its own records.
Communicating privacy information
Future privacy notices will now need to explain your legal basis for processing data, data retention period and right to complain.
On the whole, the rights individuals will enjoy under GDPR are the same as those under the DPA but with significant enhancements. The main rights for individuals under GDPR include:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Subject Access Requests
The timescales for responding to requests for information will be reduced to a month and in most cases, you will not be able to charge the applicant. If you refuse a request you will need to have the necessary policy and procedures in place to justify why.
It is advisable to review how you are seeking, obtaining and recording consent. Consent needs to be freely given, specific, informed and unambiguous. GDPR makes reference to consent and explicit consent and it is for you to provide evidence that consent was obtained.
Legal Basis for processing personal data
You will need to review the type of data processing you carry out and define your legal basis for doing so and document. People will now have a stronger right to have their data deleted particularly where you use consent as your legal basis for processing.
In the UK that’s anyone below the age of 13 so you will need to verify individuals’ ages and obtain consent from their parent or guardian to process their data. Special rules now apply to children’s data obtained from say social media etc.
Start to make sure you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which would fall within the notification requirement if there was a breach.
Data Protection Impact Assessments (PIA)
You could usefully consider familiarising yourself with the guidance the ICO has produced on Privacy Impact Assessments.
This will help describe the situations giving rise to a PIAs - who should undertake those PIAs and who should be involved.
Data Protection Officers
Whilst some organisations will need to designate a Data Protection officer the important thing is to make sure that someone in your organisation, or external data protection advisor, takes responsibility for your data protection compliance.
If your organisation operates internationally you should determine which data protection supervisory authority you come under.
If you have not already done so, start talking with your professional advisors, suppliers and distributors to coordinate your efforts.
Some companies may want to set-up an internal project team whilst others may appoint external advisors to ensure compliance.
Whatever your business it’s a good time to start making plans.
Digital Leadership - What does it take to win in today's digital economy?
To win in a digital world there are many challenges faced by business leaders. Understanding the implications of digital technology on your business strategy is critical to ensuring success. This workshop led by digital expert Andy Poulton can help.