On 25 May 2018, and regardless of Brexit, the EU General Data Protection Regulation (GDPR) takes effect, replacing the current Data Protection Act (DPA), under which we have operated for the last 20 years. There is no 'grace period' under the GDPR and therefore businesses are expected to be compliant from the get-go next May.
The GDPR will introduce new concepts and approaches that will require you to implement new practices around data protection, information security and privacy. Many organisations are already gearing themselves up for the changes and if you have not yet started, it is important that you do so now. It will involve changes in procedures and contracts.
Breaching the GDPR could result in fines of the greater of up to 20 million Euros or (if greater) 4% of annual worldwide turnover. Under the DPA, fines are currently capped at £500,000.
Pay attention to your marketing materials - particularly if they allow you to obtain consent as a justification for processing data. You will need to review how you obtain this consent - the GDPR requires a very high standard of consent which must be given by a clear affirmative action (freely given, specific, informed and unambiguous).
Protect data by design and default. Some data uses need additional safeguards such as privacy impact assessments. Is your organisation set up to enable you to do this?
Review your record keep obligations. The GDPR contains extensive record keeping obligations. It is not sufficient to be compliant, you also need to demonstrate that compliance.
Be aware of your duty to report breaches. There are new requirements to report data breaches to the regulator and in some cases to individuals affected. This has to be done without undue delay and generally within 72 hours. Do you have systems in place to be able to respond where necessary?
Consider appointing a Data Protection Officer (DPO). Any DPO appointed can, but does not have to, be an employee, but must be independent and must also be given the resources to do their job.
Ensure measures are put in place to deal with data portability and the right to be forgotten. Data subjects have new rights for their data to be removed or provided in a common transferrable format to other people. Are you able to respond to such requests?
Identify your data processors. The GDPR will introduce new requirements around data processors. Data processors are organisations who handle personal data on behalf of others. All of the following are examples of data processors: cloud storage providers, payroll service providers and organisations which send out email or postal mailshots on behalf of their client.
Enter into written contracts with your data processors. You must ensure that there is a written contract in place with their data processors and that appropriate due diligence is carried out. The GDPR is far more prescriptive than the DPA in terms of what must be included in the written agreement, so it is important to make sure your data processing agreements are updated to be GDPR compliant.
Be aware of your own data processing obligations. If you are a data processor, then the GDPR represents a significant change. Data processors currently have no regulatory obligations under the DPA (even if data processors had contractual obligations to data controllers) but will owe extensive obligations under the GDPR (e.g. around information security and reporting breaches to their customers).
There are many issues organisations need to be aware of and preparing for now in order to be GDPR compliant. As part of the service we offer, we can undertake GDPR audits, provide training to staff and assist with GDPR compliant policies and procedures. There is a lot to do but we are here to help.