In May 2016, organisations were given two years to get ready for some big data protection changes. The first year has flown by and now there is just under one year to go.
On 25 May 2018, and regardless of Brexit, the EU General Data Protection Regulation (GDPR) takes effect, replacing the current Data Protection Act (DPA), under which we have operated for the last 20 years. There is no 'grace period' under the GDPR and therefore businesses are expected to be compliant from the get-go next May.
The GDPR will introduce new concepts and approaches that will require you to implement new practices around data protection, information security and privacy. Many organisations are already gearing themselves up for the changes and if you have not yet started, it is important that you do so now. It will involve changes in procedures and contracts.
Breaching the GDPR could result in fines of the greater of up to 20 million Euros or (if greater) 4% of annual worldwide turnover. Under the DPA, fines are currently capped at £500,000.
What Should You Be Doing Now?
- Plan ahead - audit and document what personal data (and particularly sensitive personal data such as data about health, race or religion) you hold, where you obtained it, what it is used for, where and how it is stored and with whom it has been shared. This will help you to understand your data flows so that you are clear what steps you need to take to become compliant.
- Review and update your privacy notices. Organisations must give people certain information about how their personal data is used. This information is usually provided in a document known as a privacy notice. The GDPR will require significantly more information to be included in privacy notices than the DPA currently does. For example, individuals must be told about their right to complain to the ICO, and must also be given information about how long their data is kept for. Individuals must also be told about the legal basis that you are relying on to process their personal data (eg consent, legitimate interest and so on).
- If you obtain consent as a justification for processing data, review how you obtain it (pay attention to your marketing materials) - the GDPR requires a very high standard of consent which must be given by a clear affirmative action (freely given, specific, informed, unambiguous).
- Think information security. The GDPR contains more detail around what organisations must do to keep personal data safe (eg, via using encryption, data protection policies etc).
- There are requirements for data to be protected by design and default. Some data uses need additional safeguards such as privacy impact assessments - do you have the set up to be able to do this?
- The GDPR contains extensive record keeping obligations. It is not sufficient to be compliant; there is also an obligation to be able to 'demonstrate' that compliance.
- There are new requirements to report data breaches to the regulator and in some cases to individuals affected. This has to be done without undue delay and generally within 72 hours. Do you have systems in place to be able to respond where necessary?
- Consider whether you need to appoint a Data Protection Officer (DPO) - any DPO appointed can, but does not have to, be an employee but must be independent and must also be given the resources to do their job.
- Data portability and the right to be forgotten. Data subjects have new rights for their data to be removed or provided in a common transferrable format to other people. Do you have systems in place to be able to respond to their requests?
- The GDPR will introduce new requirements around data processors. Data processors are organisations who handle personal data on behalf of others. All of the following are examples of data processors: cloud storage providers, payroll service providers and organisations which send out email or postal mailshots on behalf of their client.
- If you use data processors (and most businesses do even if they don't realise it!) then you must ensure that there is a written contract in place and you must carry out due diligence on the data processor. The GDPR is far more prescriptive than under the DPA in terms of what must be included in the written agreement, so it is important to make sure that your data processing agreements are updated to be GDPR compliant.
- If you are a data processor, then the GDPR represents a significant change. This is because data processors have no regulatory obligations under the DPA (even if data processors had contractual obligations to data controllers), but will owe extensive obligations under the GDPR (eg around information security and reporting breaches to their customers).
This update highlights only a few of the key issues you need to consider to be GDPR compliant. We would be pleased to advise further if required. Do you need help with any of the above? What about your staff? As part of the service we offer, we can assist with GDPR audits and are also providing training to staff as well as GDPR compliant policies and procedures. There is a lot to do, but we are here to help.
For more information or advice, please contact Andrew Gallie in our Data Protection team on 0117 314 562.
Let us help you
By registering your interest, we'll be equipped to help answer any questions you may have about the GDPR and provide further information about how it will affect your business