Preparing for GDPR
The General Data Protection Regulation (GDPR) due to enter into force on 25 May 2018 is set to bring in a number of changes to the current data protection regime as set out in the Data Protection Act 1998 (DPA). The Government has confirmed that the GDPR will apply and in its latest statement of intent, the Department for Digital, Culture, Media & Sport has said a Data Protection Bill will be introduced. With stricter rules, no grace period available for compliance and with substantially higher fines, organisations should start preparing now.
Key changes brought by the GDPR
The GDPR introduces a number of changes including:
- Enhanced data subject rights - the right to be forgotten, rectification, data portability and the right to object, less time to respond to subject access requests;
- Data controllers are required to have in place comprehensive and proportionate governance measures relating to data processing and being able to demonstrate compliance with the new rules;
- Higher standard of consent where data controllers rely on consent for processing;
- Having written agreements in place when appointing a data processor and direct compliance obligations on data processors;
- Considering the data protection implications when conducting new processing (data protection by design and default) and conducting privacy impact assessments;
- Notification of data breaches immediately or within 72 hours in certain circumstances;
- Appointing a Data Protection Officer in certain circumstances; and
- Enhanced enforcement powers for non-compliance with maximum fines up to 4% of annual turnover or £17million (whichever is greater).
Guidance from the ICO
The ICO has been issuing guidance to organisations through different means. Its 12 steps to take now is a useful tool for organisations as part of preparations for GDPR compliance. Similarly, its draft guidance on consent provides a good overview of the key issues that data controllers are required to consider when determining if they can rely on consent and how consent can be obtained, maintained or withdrawn. In its latest initiative the ICO has launched myth busting blogs about the GDPR where it has set out that it will use its enhanced powers judiciously, which is to be welcomed and that consent is not the silver bullet to processing. Whilst such guidance is to be welcomed and is certainly useful, organisations should also be aware that the ICO has emphasised that there will be no grace period for GDPR compliance and that it is a matter for the boardroom of each organisation.
Preparing for Compliance
With less than a year to go, organisations should consider a risk-based approach and take preparatory steps including:
- acquaint yourself with the new rules - the GDPR is likely to affect different segments of your business such as HR, marketing, IT among others and all departments/teams are required to work together to devise your compliance plan;
- Conduct an information audit - you could start this by data-mapping to determine what data are you processing, on what basis, where is it being stored, is it being shared and with whom, accuracy, deletion and retention periods;
- Review the results and consider next steps you need to take - for example if a legal basis for processing is no longer available or does not meet the requisite standard, consider what you can do to achieve compliance;
- Review existing policies, procedures, privacy notices and contracts - all of these are important to ensure that you achieve GDPR compliance. For example, you may be sharing data with different organisations and may require to document these data flows or your subject access request policy may need to be amended to provide for new rights and new timeframes to respond. Similarly, to ensure transparency you may need to consider the information you include in your privacy notice so that any customer that consents to providing you with their personal data has the required information;
- Consider appointing a data protection lead - this may be a Data Protection Officer or it could be someone else depending on your particular circumstances. Having a data protection lead could be important to ensure your organisation prepares for the new rules, reports to your organisation's Board and continuously reviews data protection obligations and updates processes to achieve compliance. Similarly, it can improve your organisation's ability to integrate data protection by design and default and conduct privacy impact assessments;
- Introduce/review data protection training for employees - this will help them and you in complying with GDPR in day to day processes; and
- Compile a compliance plan - as data controllers are under an obligation to demonstrate their own compliance the results from the preceding steps will assist you to demonstrate the steps you have taken including policies that you have updated or new processes that you have introduced to comply with the GDPR. This can also include a data breach response policy to ensure that in the event of a data breach there are processes in place to enable your organisation to respond.
Forbes Solicitors provides advice in relation to a range of data protection matters from responding to subject access requests, reviewing policies and procedures, providing in-house training and assisting organisations prepare for GDPR.
If you would like more information on preparing for GDPR see our events:
General Data Protection Regulation for HR Professionals
GDPR: Are You Ready? Business Masterclass with North West Lancashire Chamber of Commerce
We have a GDPR support service available with fixed prices to allow you to budget for the help we can provide. If you would like more information on our GDPR support service or if you have any questions about data protection compliance under the current rules, the GDPR or ePrivacy Regulation, please contact Daniel Milnes.