GDPR – is your business ready?
With just over 7 months to go before the General Data Protection Regulation (“GDPR”) comes into force, what steps has your business taken in preparation for the new law which comes into force on 25 May 2018?
Consultation in the UK on the GDPR has concluded and the government set out its planned reforms for the new Data Protection Bill in August 2017. The Data Protection Bill had a first reading in the House of Lords in September and the second reading is scheduled for October. Until the Bill has received Royal Assent, we do not know what final form it will take but what we do know is that the Bill will bring the GDPR into domestic law albeit with some modifications.
With the current maximum fine of £500,000 increasing up to 20 million euros or 4% of global turnover, if your business processes personal data, it cannot afford to ignore the GDPR and should take steps in preparation for the new law now.
Steps to consider now
We set out the key changes and some of the steps your business should be considering now in our recent article on GDPR. For further information on the GDPR itself, please refer to our leaflet, ‘GDPR: The General Data Protection Regulation’.
If your business processes personal data and has not yet taken any steps in preparation for the GDPR, your business should at the very least consider the following:
Processing personal data
- Identify all existing data systems and the personal data processed.
- Review the existing technical and organisational measures the business takes including the appropriateness of the level of security and consider whether these are implemented in an effective manner to ensure compliance (e.g. pseudonymisation).
- Consider whether a data protection impact assessment should be carried out.
- Consider whether any personal data is transferred outside of the EU and ensure that such transfer is compliant with the new requirements.
- Review the basis on which your business processes personal data and document it. If your business relies on the specified purposes notified to the data subject on collection of their personal data and is considering any further processing beyond that purpose, it will need to consider if any further action is necessary.
Managing the changes
- Consider whether it is necessary to appoint a data protection officer (DPO) and if not, consider whether it would be prudent to do so.;
- Initiate staff training on the business’ data protection responsibilities.
Internal policies and procedure
- If your business relies on consent as a lawful basis for processing, review privacy notices and other fair processing information and ensure they are compliant with the new requirements.
- Review contracts of employment, handbooks and policies to see whether and how they deal with data protection (and in particular, how consent is sought).
- Establish a policy (with a timeline) for handling data breaches.
- Develop and implement a policy on retention and storage of data, including emails, personal file information (including warnings) etc.
If your business relies on consent to justify its processing, it should consider:
- Reviewing how consent is obtained and consider whether any changes need to be made or whether existing consents need to be renewed. It will not be enough to infer consent from silence, pre-ticked boxes or inactivity.
- Review contracts, terms and conditions and other documents to ensure that the provisions relating to consent are clearly identifiable, clearly written and include all relevant details (e.g. the identity of the data controller, the purpose of the processing, the type of processing and the right to withdraw consent at any time).
- The ability of the data subject to withdraw consent at any time should be just as easy as to give it.
- Document consent so that your business can evidence what people were told and when and how they consented.
Rights of data subjects
- Review procedures to ensure that they cover all the rights individuals have and how requests will be dealt with (including a timeline).
Appointment of a data processor
- If your business appoints a data processor, review any existing contracts or terms and conditions to ensure that the obligations contained within it are compliant with the new requirements.
The ICO has published some useful guidance which includes their 12 steps to take now in preparing for the GDPR.
How can we help?
We can help your business all the way to support it in ensuring its compliance with the new law. For further information on the GDPR, please contact either Erol Huseyin or Julie Alchin.