The General Data Protection Regulation (GDPR) will introduce a single framework for the protection of personal data that will apply across all EU member states from 25 May 2018.
Under the GDPR, organisations will face enhanced duties and greater sanctions for breach of their data protection obligations. Accordingly, organisations should take action now to ensure they are fully compliant with the principles of the GDPR.
The GDPR will introduce new concepts and approaches for the protection of personal data. The good news for organisations is that many of the new requirements under the GDPR are similar to existing core concepts under the Data Protection Act 1998.
Organisations should be aware that the GDPR is still likely to require significant changes to existing processes. Ensuring compliance will take time and it is therefore essential for organisations to plan ahead.
Expanded Territorial Reach
The location of the data subject and not the organisation will determine whether or not the GDPR applies to organisations that do not have an establishment within the EU.
This means that many non-EU organisations will be required to comply with the GDPR even if they were not previously required to comply with the Data Protection Directive.
Consent must be freely given, specific, informed and unambiguous. It must be a clear indication of the data subject’s agreement to the processing of their personal data. Consent has to be given on an opt-in basis and the data subject must have the right to withdraw their consent at any time.
Existing practices for obtaining consent will need to be reviewed and amended to meet GDPR standards. Consider refreshing existing consents where they do not meet these standards.
Rights of Data Subjects
The rights of data subjects under the GDPR are enhanced and, as a result, organisations should carefully ensure that these rights are appropriately addressed.
Data subjects will have the right to be forgotten, data portability rights, the right to have inaccuracies corrected and the right not to be subject to automated decision-making, including profiling.
There are also new rules in relation to subject access requests, including changes to the response time which will be just one month.
The GDPR adopts a risk-based approach and requires data controllers to implement appropriate measures to ensure and demonstrate compliance with the GDPR.
Data Protection Impact Assessments are required to be carried out prior to the use of new technologies that are likely to result in a high risk to data subjects.
Any measures identified must be monitored and updated.
The GDPR increases the amount of information organisations need to include in privacy notices, such as notification of the expanded rights of data subjects.
Organisations should, therefore, review existing privacy notices and ensure that any necessary changes are implemented prior to the GDPR coming into force.
These notices and any communications to data subjects must be clear, concise and intelligible.
Data Protection Officers
A senior member of your organisation should take overall responsibility for GDPR compliance. Organisations should also consider whether they are obliged to appoint a Data Protection Officer who has the knowledge and authority to monitor compliance effectively.
As the changes under the GDPR are comprehensive and far-reaching, all members of your organisation should be trained on the GDPR requirements.
Organisations must ensure that personal data is kept secure at all times. In some cases, enhanced measures such as encryption will be necessary.
The GDPR requires mandatory reporting of security breaches to the regulator and in serious cases to the data subject.
Organisations should put in place processes to deal with breaches in accordance with the GDPR.
The GDPR imposes duties directly on data processors in addition to data controllers. The GDPR will impose sanctions for breach on both data processors and data controllers.
Data controllers should identify contracts with data processors and ensure they reflect the GDPR. Data processors should review existing arrangements to ensure these meet their updated compliance requirements.
Transfer out of EU
The GDPR allows the transfer of data outside of the EU only when certain safeguarding criteria are met. A broader range of mechanisms to transfer personal data out of the EU has also been introduced, including approved codes of conduct and certification processes.
Organisations should review their procedures to check whether they are adequate under the GDPR and consider whether new documentation is required, such as binding corporate rules.
The GDPR will significantly increase the maximum fines for non-compliance and regulators will be able to impose fines on data controllers and data processors. The maximum level of fine is €20 million or 4% of total worldwide annual turnover (whichever is greater).
In addition to financial sanctions, there will also be significant reputational damage to organisations if they fail to adequately comply with the GDPR.
8 Steps to GDPR Compliance
How are you seeking, obtaining and recording consent?
You must be able to demonstrate that consent has been freely given and is specific, informed and unambiguous. It must be given on an “opt-in” basis. You may need to update existing consents now if they do not comply. Special rules will apply to obtaining consent for processing children’s personal data.
Are your privacy notices GDPR compliant?
In addition to the current information you are required to give when you collect personal data, you will need to set out your legal basis for data processing and your data retention periods, as well as advise individuals that in addition to other rights, they have a right to complain to the ICO. This information must be communicated clearly and concisely.
3. Holding and processing data
What information do you hold and what is your legal basis for processing it?
Under the GDPR you are required to maintain records of your processing activities. You may need to carry out an information audit to ascertain what information you hold, where it came from, what you do with it and who you share it with.
4. Rights of individuals
Do your procedures comply with individuals’ new rights under the GDPR?
Individuals will have greater rights in relation to their data under the GDPR, including rights of access and data portability, to have inaccuracies corrected, to have information erased, to prevent direct marketing and to prevent automated decision-making and profiling.
5. Subject access requests (SARs)
How will you comply with the new rules on SARs?
You will now have just a month to comply with a subject access request and will only be able to refuse or charge for requests if they are manifestly unfounded or excessive. Consider what systems you may need to implement to meet the challenge of having to deal with requests more quickly.
6. Data Protection Impact Assessments (DPIAs)
Do you have a strategy for dealing with the new DPIA requirements?
DPIAs will become mandatory in some cases, e.g. where new technology is deployed, where profiling is likely to significantly affect individuals or where processing is large-scale and involves special categories of data. Where a DPIA identifies high-risk processing, you will need to consult the ICO. Take steps now to identify how DPIAs will be carried out and by whom.
7. Data Breaches
Do you know what to do if you detect a data breach?
Make sure you have procedures in place to detect, report and investigate a personal data breach. The GDPR will require you to notify the ICO of certain types of data breach and, in serious cases, the individual affected.
Do you carry out cross-border data processing within the EU?
If so, map out where your organisation makes its most significant decisions about data processing to determine who your lead data protection supervisory authority is and document it.