GDPR – 12 months and counting
The General Data Protection Regulation (GDPR) was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and come into force on 25 May 2018.
The impact of these changes and identifying potential compliance issues under the GDPR will be a challenge for many organisations. The maximum fine that can be imposed for serious infringements is €20 Million, or up to 4% of annual global turnover.
Within your own organisation, key individuals and decision makers should be made aware that the law is changing and they shall have one day from today to ensure their data protections affairs are in order.
This article highlights ten very straightforward steps you can consider implementing in the next 12 months to ensure your organisation is compliant with GDPR.
Brexit and GDPR
Our clients regularly ask us: should we continue with planning and preparation for the imminent changes to GDPR in light of Brexit?
The short answer is ‘yes’. The UK Government has already said that Brexit will not affect the commencement of GDPR with and this is unlikely to change.
Even if there was a wholesale change of direction, if your organisation sells goods or services to citizens in other EU countries it will be required to process data about those individuals and as a result, the EU will consider the GDPR to apply to you regardless.
The rights of individuals
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Of the above, data portability is a new right.
Recommendation: This is an excellent time for your organisation to check internal procedures and to work out how you would react to a request in connection with the above list – consider whether your systems would help you to locate the relevant data and who would make the necessary internal decisions.
Your organisation will not be required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. However, the nature of the consent required will place more demands on your business.
Recommendation: Your organisation should review how you seek, record and manage consent and whether further changes need to be made to ensure the GDPR standard is met in future. Note that consent must be:
- freely given, specific, informed and unambiguous;
- there must be a positive opt-in and consent cannot be inferred from inactivity, silence or pre-ticked boxes; and
- the withdrawl of consent must be as easy as giving it.
The lawful basis for processing personal data
Under the GDPR, individuals’ rights will be modified depending on the legal basis your organisation has for processing their personal data.
Recommendation: Your organisation should identify the lawful basis for your processing and document and update your privacy notice to clarify this. It will also be necessary to explain the lawful basis for processing personal data in your privacy notice and when you answer a subject access request.
Subject access requests
The GDPR rules are changing with regards access requests. After 25 May 2018, your organisation will:
- not be able to charge for complying with a request;
- have a month to comply with a request, rather than the current 40 days;
- be able to refuse or charge for requests that are manifestly unfounded or excessive; and
- if you refuse a request, your organisation must without undue delay (and at the latest) within one month:
- (a) tell the individual why; and
- (b) set out that they have the right to complain and to a judicial remedy.
Recommendation: Your organisation should consider updating your procedures and plan in connection with how to handle requests.
Information held by your organisation
The GDPR requires you to maintain records of your organisation’s processing activities.
Recommendation: Your organisation should document all personal data you hold, where it came from and who you share it with. We recommend considering undertaking an information audit across your organisation in preparation for GDPR.
The communication of privacy information
When collecting personal data, the collector is required to share certain information (such as their own identity and how they intend to use the information to be disclosed). This is usually done through the use of a privacy notice. The GDPR will now require additional items to be included.
Recommendation: Your organisation should review its current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Also consider the new right of Data Portability which is data portability which is the right for a data subject to receive personal data concerning them (which they have previously provided in a ‘commonly used and machine readable format’) and have the right to transmit that data to another controller. It only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
Where a data breach is likely to “result in a risk for the rights and freedoms of individuals” its notification will become mandatory. Controllers must notify:
- the competent supervisory authority within 72 hours; and
- affected data subjects without undue delay.
Recommendation: your organisation should ensure it has the correct procedures in place to detect, report and investigate a personal data breach (some organisations are already required to notify the ICO and possibly some other bodies, when they suffer a personal data breach and this has been given as a warranty or occasionally as the basis for an indemnity, in modern commercial agreements). Where a breach results or is likely to result in a high risk to the rights and freedoms of individuals, your organisation will have to notify those concerned directly in most cases. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Data Protection Officers (DPO)
DPOs must be appointed in the case of:
- public authorities;
- organisations engaging in large scale systematic monitoring; or
- organisations engaging in large scale processing of sensitive personal data.
Recommendation: Consider whether your organisation falls into one of the above categories. If not, there is no requirement to appoint a DPO.
The GDPR will for the first time bring in special protection for children’s personal data.
Recommendation: If your organisation offers online services to children and relies on consent to collect information, a parent or guardian’s consent in order to process their personal data lawfully may be required.