Opinions and insights from Roythornes' corporate and commercial law team.
Are you GDPR ready?
- AuthorJulia Seary
The General Data Protection Regulations (GDPR) come in to force in May 2018 and, despite the fact that they have been widely publicised since 2016, a recent survey identified that only 7% of business felt they were ‘very prepared’ for the new law, with the majority of businesses less so.
To a large extent, the Regulations have been introduced in order to bring the custody and use of personal data in line with the way in which organisations operate, and the Regulations are aimed at reinforcing the responsibility of those who store, use and process individuals' data.
From a business perspective, directors should be aware that losing or misusing data will be a very real risk in terms of financial penalties and reputational damage. If you need any further ammunition to get the issue raised at high levels, the maximum fines of 4% of an organisation’s annual worldwide turnover or 20 million Euros (whichever is the greater) should focus the mind!
The key concepts the Regulations introduce and reinforce are:
Ensure you have a lawful basis for processing personal data: establishing a clear legal reason for obtaining and processing individual data is a major element within the Regulations. If you rely on consent, this must be ‘explicit’ – ie, freely given, specific and informed. There must be affirmative action – so no pre-ticked boxes. Consent can be withdrawn at any time and you should keep an audit trail to demonstrate when and how consent was obtained. If you have existing marketing lists which relied on an ‘opt out’ to give consent, you will need to go back to these people to gain active ‘opt-in’ consent.
Transparency and accountability are key: the Information Commissioner's Office (ICO) expects organisations to be able to demonstrate compliance and ensure a risk-based approach to data processing.
Processors: organisations that process personal data on behalf of a third party will be directly responsible to the ICO in addition to data controllers, which shifts the regulatory burden towards sub-contractors. Controllers must have written agreements in place with all processors.
Individuals’ right to be informed has been enhanced: the key issue here is that the business must make sure that individuals understand who is collecting their data and the purpose for, and means by, which it is being collected and processed. This will most likely require you to revise your Privacy Policies, and a Privacy Notice must be given to the individuals at the time their data is collected.
Individuals can now ask to be ‘forgotten’: businesses must erase all data within one month but the point to remember here is that data only needs to be erased if storage and processing can no longer be justified – it is a ‘qualified’ right.
Data portability: the Regulations introduce a new right for individuals to ask to have their data transferred to themselves or between organisations – in a machine readable format.
Data breach reporting: it is the responsibility of the data controller to report data breaches to the ICO unless risk is unlikely. Breaches must be reported to the ICO as soon as possible and where feasible within 72 hours. For breaches which could result in high risks, individuals impacted must be notified too.
GDPR ACTION PLAN: THE TOP TEN STEPS
The actions you need to take depends very much on your business, the type of data processed and the nature of the business relationships, but the 10-step guide below will at least form a framework around which you can start to build your GDPR action plan.
- Appoint a GDPR lead to manage the process and inform all key decision makers within your business how the law is changing and the increased level of risk
- Engage in a process of data mapping and identify the customer/employee/target personal data you hold and determine the legal basis, purposes and the means of your processing
- Review and update all relevant policies and procedures: what is the data, why and how is the data processed and protected, how long do you retain and when do you destroy data
- Clarify and document your ‘legal basis’ for processing – check consents are valid and, if not, re-approach individuals or delete data. Remove any opt-out pre-ticked boxes
- Check targets within acquired marketing lists have consented to their data being transferred to you. If necessary, re-obtain consent, and ensure individuals know your identity ‘as soon as practicable’
- You should note that in relation to Data Subject Access Requests, no fee is now payable and responses are required within one month, unless the request is manifestly unfounded or excessive
- Check IT systems to ensure that you can respond to access requests and easily rectify data errors or erase redundant data. Check whether data should be encrypted
- Review all third party supplier arrangements to check that processing is governed by a written agreement which contains regulatory prescribed guarantees
- Check whether data goes outside of the EU. The Regulations state that data transfer must not take place outside the EU unless there are adequate safeguards in place
- Consider staff training and ongoing audits to identify risks and highlight red flags
Despite the requirement to develop new procedures and re-write policies, the GDPR should also be seen in a positive light.It is an opportunity to re-engage with individuals, ensure that you are speaking to clients and contacts who want to hear from you and that you are only storing relevant and useful data. In any event, however you view the changes, you need to take action now to ensure you comply by the deadline.