General Data Protection Regulations

Planning for the changes

27 March 2017


The headlines about the GDPR have focused on the new maximum penalty for a data breach, which has been set at £20 million or 4% of annual turnover, whichever is greater.

It is no wonder that these eye-watering levels of fines have captured the public interest, but the GDPR is about much more. Now is the perfect time to start to plan for any changes required and to become familiar with the new requirements, which include

  1. Culture of awareness - organisations should start now by gaining a greater understanding of the information which they hold and make sure that everyone within their organisation is aware of the changes which are coming;
  2. Privacy by design - fair processing notices will become privacy notices and organisations should put in place a plan for collating, storing and deleting personal information which takes into account the rights that individuals have under the GDPR;
  3. 1 month response time - the time limit for dealing with a Subject Access Request will change from 40 days to 1 month (and organisations will no longer be able to charge). Data controllers will also have 1 month to deal with requests to rectify personal data and as part of the right to data portability, 1 month to provided data if it is requested by the data subject
  4. Consent - consent for data collection must be freely given and unambiguous. Individuals will have to be made aware they can withdraw their consent at any time. There are specific requirements for dealing with information from children and parental or guardian consent for processing activities
  5. Data Controllers and Data Processors - the GDPR will apply to both Data Controllers and Data Processors. A Data Controller says how and why personal data is processed and the Processor acts on the instruction or direction of the Controller. The GDPR places further obligations on Controllers to ensure contracts with Processors comply with GDPR. If you are a Processor, the GDPR places significant legal obligations on you for example; to maintain records of personal data and processing activities. Processors will be responsible if there is a breach for which they are responsible;
  6. Jurisdiction - the GDPR relates to processing carried out by organisations operating within the EU but it also applies to organisations outside the EU that offer goods or services to individuals within the EU.
  7. Data Protection Officers - This role will be an information governance role and some organisations will require someone to take responsibility for data protection compliance within the organisation;
  8. Breach Management - now is the correct time to implement procedures to detect, report and investigate a data breach and have a plan in place on how the organisation would respond to such a breach.