GDPR: the Countdown to Compliance
5 June 2017
On 25 May 2018 the General Data Protection Regulation (GDPR) comes into effect bringing about the biggest change to data protection laws in over 20 years. So significant are the changes introduced by the new law that organisations have been given a two year lead-in period to ensure that they have sufficient time to bring their processes and systems in line with the new requirements before the 2018 deadline. However, many have been slow to appreciate the extent of the work required to update their compliance strategies and many more put their plans on hold in the light of the Brexit vote. With just one year to go, and clear confirmation that the GDPR will apply regardless of Brexit, organisations are now finding themselves on the back foot.
With increasing media coverage driven by the threat of a headline-grabbing €20million cap on fines, awareness that there is change on the horizon is growing yet many organisations remain unsure of what they should actually be doing to prepare for the impending changes. For some, the GDPR has become the elephant in the room.
We have prepared this compliance step-by-step plan to assist those who want to know what the GDPR actually requires in practical terms:
- Pick your project team – the work needed to ensure compliance with the GDPR is onerous, time consuming and requires knowledge of every part of the business so try not to put all the responsibility on one person. Ideally your project team should include representatives from marketing, HR, customer services and IT
- Audit your data – to achieve compliance you need to know what data you hold, where it comes from, what you do with it, where you keep it, who you share it with and what happens to it when it is no longer needed.
- Update your fair processing notices – whether you refer to them as FPNs, privacy policies, data protection statements or something else entirely, the information that you give to individuals when you collect their data will need to be updated to meet the new information standards in the GDPR.
- Review your consent mechanisms – under the GDPR you must meet a higher standard of consent and record how and when consent was obtained, all of which will require some updating to your current systems. Think about whether you actually need to get consent for a particular processing activity at all; remember that there are plenty of other legal grounds for processing such as contractual necessity and legitimate interests on which you may be better relying instead.
- Streamline your SAR process – the GDPR reduces the time for providing a response to a Subject Access Request from 40 days to one month (and abolishes the £10 fee).Don’t forget the new rights – individuals have new rights under the GDPR, specifically the right to be forgotten and the right to data portability. You will need to ensure you understand what these rights involve and how you will comply with them.
- Record your processing – from May 2018 you will no longer have to register with the ICO but you must keep a written record of your processing activities, security measures and data retention practices instead.
- Review your contracts – if you appoint someone to undertake data processing on your behalf (e.g. outsourcing payroll) you will need to have written contracts in place containing certain prescribed clauses. Don’t overlook the international data transfer requirements if your data processor is based, or uses servers located, outside of the EEA.
- Appoint a Data Protection Officer – for many organisations this will be a mandatory requirement under the GDPR.
- Update your breach procedures – from May 2018 mandatory breach reporting will begin – most breaches must be notified to the ICO within 72 hours and you must keep a full internal breach register.
- Be designed to comply – the GDPR introduces the concept of data protection by design. You need to ensure you are familiar with the concept and understand what it means for your business in practice.
- Train your staff – staff awareness is absolutely crucial to compliance. Different staff members will require different training depending upon their role and responsibilities but all staff will require some basic awareness training around the GDPR at the very least
We offer a range of training courses to help your business comply with data protection laws and to raise awareness amongst your staff. Details of our training courses are available on our website.
If none of our standard courses offer quite the right fit for your organisation we are happy to create a bespoke training session for you.
The content of this article is for general information only. For further information, please contact a member of Birketts’ Employment Law Team. Law covered as at June 2017.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at June 2017.