How GDPR-ready are you?Print publication
The countdown is on. In just 12 months’ time, the new EU-wide data protection regime comes into force. The General Data Protection Regulation (GDPR) introduces key changes, including new and enhanced rights for individuals, specific legal obligations on data processors, obligations to notify data breaches, fines up to the greater of 4% of annual global turnover or €20 million, and detailed record-keeping requirements.
The GDPR’s implementation in the UK is unaffected by Brexit, and there is no transitional period, which means that businesses must be compliant by 25 May 2018. If you haven’t started to prepare yet, don’t panic, but now is the time to kick-start the process. Developing and implementing an effective compliance strategy is likely to require significant lead-in time, depending on the nature of your business and the extent to which you comply with the existing data protection regime.
GDPR Compliance Checklist
By taking the following practical steps, you will be well on your way to being GDPR-ready.
- Raise awareness: Ensure that the key individuals in the business know what is coming. The UK’s Information Commissioner’s Office (ICO) has produced a helpful overview of the GDPR – highlighting the key themes to help businesses understand the new framework – and a 12 steps to take now document.
- Carry out a full information audit, including a data mapping exercise: It will be very difficult to devise an effective action plan without knowing first how the business handles data. Get to grips with what data you hold and how you use it. What personal data is collected? How is it collected? Why is it collected? Where is it stored? For how long is it retained? Who is it shared with? What protective security measures are in place?
- Carry out a gap analysis: Using the results of the audit, you will then be in a position to identify any areas of weakness and the necessary changes to ensure compliance.
- Devise a compliance strategy: Armed with the results of the audit and the gap analysis, you can then start to form an action plan and put the arrangements in place to follow it through. Think about who needs to be involved in the process and who will manage it. Factor in targeted staff training and build in a realistic timetable and costings. Many of the changes required will have potentially significant budgetary implications for businesses.
- Consider whether you need a Data Protection Officer (DPO): Appointing a DPO has long been good practice, but it will become mandatory under GDPR for public authorities/bodies as well as businesses whose core activities involve the regular and systematic monitoring of individuals on a large scale or processing of special categories of data or personal data relating to criminal convictions and offences on a large scale. European-level guidance has been issued on this topic and can be found on the website of the Article 29 Working Party (WP29). The role of DPO can be filled either by an existing employee or by an external hire, but they must be a data protection expert, so start searching for a suitable candidate now.
- Review your breach response plan: GDPR imposes a new obligation to notify data breaches to the ICO without undue delay and where feasible within 72 hours of becoming aware of the breach. If a breach occurs, when deciding what enforcement action to take, including the appropriate level of any fine, the ICO will take into account whether the business has implemented appropriate technical and organisational measures to enable it to identify immediately whether a breach has occurred.
- Create processing records: Instead of registering with the ICO every year, businesses will be required to maintain detailed records of their processing activities which must include detailed information prescribed by GDPR. These records must be kept in written form and made available to the ICO on request. This means that they should be easily accessible and in a format which can be easily disclosed to the ICO. Records will need to be regularly reviewed and updated, particularly after any significant changes to systems, procedures or the introduction of new products and services. Identify who within the business is responsible for collating and updating records and responding to ICO requests. Factor in the cost of any required changes to systems to create records, the cost of regular reviews, and the possibility of increased fees payable to the ICO. These records will play a key part in demonstrating your compliance with GDPR.
- Consider individuals’ rights: GDPR brings changes to the subject access requests regime and introduces the right to be forgotten, the right to object to profiling, and the right to data portability. Existing procedures should be reviewed, updated and amended to bring them in line with the new requirements. The ICO recently issued a feedback request on the new profiling provisions, the responses to which will help inform the UK’s contribution to the WP29 guidelines which are due to be published later this year. The WP29 has already adopted guidelines on data portability.
- Review your privacy notices: GDPR places greater emphasis on accountability and transparency generally and requires individuals to be provided with more detailed information about what is happening to their personal data. The ICO’s revised privacy notices code of practice is a useful starting point.
- Introduce the use of Data Protection Impact Assessments (sometimes called Privacy Impact Assessments or PIAs). A PIA is a tool designed to help businesses understand the impact of processing operations which involve personal data and to manage the risks of that processing. Carrying out one of these assessments will be mandatory where the processing, and particularly where new technology is used, is likely to result in a high risk to the rights of individuals. Using PIAs will also help businesses to implement privacy both by design (so data protection safeguards are built into all processing activities) and by default (to ensure that the minimum amount of data is processed). The ICO encourages businesses to familiarise themselves now with its code of practice on this topic and the WP29’s guidance (which is yet to be formally adopted following the recent consultation).
- Identify whether consent is the most appropriate basis for processing. Where businesses are relying on consent, they will need to ensure that GDPR’s higher standards for a valid consent are met. Review existing consents. These will need to be refreshed if the more stringent requirements are not satisfied. The ICO is expected to publish its final guidance on consent in the summer.
- Review contracts with third parties which are likely to need some renegotiation. GDPR requires contracts which involve sharing personal data, whether this is controller to controller or controller to processor, to include specific provisions. Keep this in mind when entering into new contracts. ICO guidance on contracts and liability is in the pipeline.
Further guidance on a range of GDPR topics is expected at both the UK and European level throughout the year. Watch out for the next instalment of our series of guides to the GDPR which will consider all the latest guidance and what it means for your compliance programme.
Remember: there are now 20 million reasons to get GDPR compliance right, but don’t panic, be prepared. Although there is still a lot of uncertainty surrounding GDPR, given the amount of changes that many businesses will need to make, doing nothing is not an option.
Walker Morris’ data protection experts can assist you with all aspects of GDPR compliance from data mapping to implementing your compliance strategy. Please contact Jeanette Burgess or Andrew Northage if you have any queries or to find out more about how we can help.