The GDPR (General Data Protection Regulations) isn’t to be confused with the DPRK or even the DDR, although businesses could be forgiven for thinking otherwise. Press coverage has emphasised the greatly increased powers accorded to the Information Commissioner’s Office (ICO) and the substantially increased fines for noncompliance. Although this is true, they say little of the reality of this new legislation and what GDPR compliance entails.
The GDPR will apply across the European Union (EU) from May this year and will continue to apply to any company conducting business with EU based clients and customers regardless of the ultimate shape of Brexit.
Achieving GDPR compliance is fundamentally a three-stage process – identifying your obligations and responsibilities under the GDPR, putting in place the necessary people, resources and processes, and addressing any underlying system requirements to achieve and facilitate compliance. It is important to understand that for companies and organisations GDPR is as much about risk mitigation as it is with simple compliance.
This list looks daunting because for some companies the scale of the GDPR is daunting. Regardless of size, we can help you navigate the potential pifalls and ensure that your transition to this brave new world is as smooth as possible.
- Ensure that key personnel within your organisation are aware of the GDPR and the effect it will have on your organisation. Large organisations may find that there is a significant resource overhead to achieving compliance and will need to plan for this.
- Identify all relevant information you hold as an organisation, this may require an information audit.
- You have a responsibility to ensure that any data you hold and share is accurate; how will you communicate changes to recipients of shared data?
Communicating Privacy Information.
- The GDPR imposes new requirements on the information conveyed in your Privacy Notice. You will need to ensure that they comply with the new regulation and meet the need for clear, easy to understand language.
- The GDPR requires you to be clear about what information you hold and the lawful basis for doing so.
- These rights include: the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling.
- The right to data portability is new. It specifically applies to personal data an individual has provided to a controller; where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means. This new right will require that you consider if changes are required to your procedures. The personal data must be furnished in a structured, commonly used and machine-readable form and be free of charge.
Subject Access Requests.
- In most cases, you will not be able to charge for complying with a request and you will have one month to do so, currently, it’s 40 days.
- You can refuse or charge for requests but you will have to tell the individual why and inform them of their right to complain to the supervisory authority and to a judicial remedy. Again, this must be done within a month.
- Can your current systems and processes cope with high volumes of access requests?
- Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Under the GDPR some individuals’ rights will be modified depending on your lawful basis for processing their personal data. This is especially true where consent is your lawful basis as people will have stronger rights to the deletion of their data.
- You should review how you seek, record and manage consent and whether you need to make any changes.
- Refresh existing consents now if they don’t meet the GDPR standard.
- Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
- Consent must be separate from other terms and conditions.
- Withdrawing consent must be made clear and simple.
- Public authorities and employers will need to take particular care. Consent has to be verifiable and individuals generally have more rights where you rely on consent to process their data.
- You are not required to automatically refresh all existing DPA consents in preparation for the GDPR, but if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standards; specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- The GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking.
- The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK).
- If a child is younger, you will need to get consent from a person holding ‘parental responsibility’. This could have significant implications if your organisation offers online services to children and collects their personal data.
- Remember that consent has to be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.
- You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- You may be required to inform the ICO if you suffer a breach
- All organisations must report a breach that could result in: discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
- You may have to notify the individuals affected. Establish procedures to effectively detect, report and investigate a personal data breach.
- Assess the types of personal data you hold and document where you would be required to notify the ICO or affected individuals if a breach occurred.
- Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
- If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
- The lead authority is the supervisory authority in the state where your main establishment is.
- This is only relevant where you carry out cross-border processing – ie you have establishments in more than one EU member state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states.
- If this applies to your organisation, you should map out where your organisation makes its most significant decisions about its processing activities. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority.