GDPR: Getting Ready
25 May 2017
Our first article in this series looked at some of the new concepts introduced by the EU General Data Protection Regulation (“GDPR”) This second article turns to the more practical issue of implementation.
Regardless of the size of your organisation, implementing the GDPR could have significant budgetary, IT, personnel, governance and communication implications. To assist companies with the initial preparation for the changes, the Information Commissioner (ICO) has put together a helpful checklist that highlights 12 steps that should be taken now to ensure you are ready for 2018. We hope you find the summary below helpful:
- Awareness - ensure decision makers and key people in the organisation are aware that the law is changing and that getting ready could involve significant expenditure on new technology.
- Information you hold - what personal data is held, where did it come from and with whom is it shared? Undertake an information audit across the organisation - documenting these details will help to comply with the GDPR’s accountability principle which requires organisations to show how they comply with the data protection principles, for example by having effective policies and procedures.
- Communicating privacy information - review current privacy notices and start the process for making any necessary changes now. It’s unlikely that existing privacy notices will include all the additional information now required by the GDPR such as the need to explain the legal basis for processing the data, the data retention periods and the individual’s right to complain to the ICO if they think there is a problem with the way their data is being handled.
- Individuals’ rights – check your procedures to ensure they cover all the rights individuals have, including how the company would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests - update your procedures for dealing with subject access requests to ensure compliance within the new timescales and that the requisite additional information is provided. Make sure you update your policies and procedures to reflect the new grounds for refusing a request.
- Legal basis for processing personal data - given the various types of data processing carried out by your organisation, are the legal bases for carrying it out fully understood and documented? Why, legally, is the company justified in holding and using each set of personal data? Under the GDPR some individuals’ rights will be modified depending on the company’s legal basis for processing their personal data. For example, people will have a stronger right to have their data deleted where consent is used as the legal basis for processing. The legal basis for processing personal data must be explained in the privacy notice and when a subject access request is answered. Again, this should be documented to help comply with the GDPR’s ‘accountability’ requirements.
- Consent - what is the current process for seeking, obtaining and recording consent and will changes need to be made? Consent has to be a positive indication of agreement to personal data being processed. It cannot be inferred from silence, pre-ticked boxes, “opt out” boxes or inactivity. Under the GDPR, consent has to be verifiable and controllers must be able to demonstrate that consent was given. Organisations should review the systems used for recording consent to ensure there is an effective audit trail. The new rules could mean changes to websites to make sure appropriate consents are obtained regarding use of personal data and cookies.
- Children - there may be a need to have systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. This aspect will be more of an issue for commercial internet services like social networking sites.
- Data breaches – there should be procedures in place to detect, report and investigate a personal data breach. Under the GDPR all organisations will have a duty to notify certain breaches, namely those where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. In some cases the individuals whose data has been subject to the breach directly will need to be notified. A failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
- Data Protection by Design and Data Protection Impact Assessments (DPIAs) – you should review the ICOs detailed guidance notes on Privacy Impact Assessments and determine how to implement them in your organisation, there now being a legal requirement to do so. You’ll need to decide in what circumstances a risk assessment should be carried out and who will do it.
- Data Protection Officers - it may be necessary to designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance. The important thing is to make sure that someone in the organisation, or an external data protection advisor, takes proper responsibility for data protection compliance and has the knowledge, support and authority to do so effectively.
- International - if the organisation operates internationally, determine which data protection supervisory authority will be responsible for its regulation. The GDPR contains quite complex arrangements for working out which data protection supervisory authority takes the lead when investigating a complaint with an international aspect, for example where a data processing operation affects people in a number of Member States. Companies may also need to review how transfers of personal data outside the EEA will continue to be permitted.
For more information on any of the matters detailed above or for general advice on or assistance with the new GDPR, please contact Dawn McKnight firstname.lastname@example.org. Dawn is a Partner at Carson McDowell and is head of the firm’s Commercial Practice.