The General Data Protection Regulation (GDPR) is a new EU regulation aimed at protecting the personal data of EU citizens. Since the term ‘personal data’ is so broad, the new regulation impacts almost every EU company, and any company that exchanges or collects data from those who reside within the EU.
The term ‘personal data’ is defined by GDPR as any data record that could potentially identify an individual.
The main intentions for GPPR in simple terms are:
The right to be forgotten
Have easier access to data stored about yourself
Right to know when your data has been hacked
Right to data portability
Security by design and by default
Stronger enforcement of the rules
The regulation comes into effect in May 2018, which is fast approaching, and worryingly, many companies still aren’t taking the steps that they need to be prepared.
Who does it affect?
Many of the main concepts in GDPR are the same as those in the current Data Protection Act, so if you are complying properly with the current law, most of your approach to compliance will remain valid under GDPR and can be the starting point to build from.
As we have already said, GDPR effects everyone. The regulation imposes obligations on companies and defines the rights of citizens to access information related to stored or processed personal data.
Some aspects of the new regulation will have more of an impact on some organisations than others, however – like provisions relating to profiling or data held on children. It’s important when planning for GDPR to map out which areas will have the greatest impact on your business, and prioritise those.
Let’s get you on the right path to complying with GDPR by May 2018, starting with the following 10 steps:
1. Increase awareness of GDPR throughout the business
You need to ensure that key people within your organisation (including decision makers) are aware that the law is changing around data protection. They need to appreciate the impact that this is likely to have and identify areas that could cause compliance problems under GDPR.
Implementing GDPR could have significant resource implications, especially in larger, complex organisations. You may find compliance difficult if you leave preparations until the last minute.
2. Determine what data you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas. The GDPR also requires you to maintain records of your processing activities as it updates the rights for a networked world.
3. Communicate new privacy information
You need to review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
When you collect data currently, you have to give people certain information, such as how you intend to use their information. Under GDPR you need to explain your lawful basis for processing their data, your retention periods and that individuals have the right to complain to the ICO if they feel there is a problem with how you’re handling their data.
4. Check individuals’ rights
You need to check your procedures to ensure that they cover all the rights that individuals have under GDPR, including:
The right to be informed
The right of access
The right to erasure
The right to restrict processing
The right to object
The right to rectification
The right to data portability
The right not to be subject to automated decision-making including profiling
5. Update procedures in requests for information
You should update your procedures and plan how you will handle requests for data under the new laws:
In most cases, you won’t be able to charge for complying with the request
You will have one month to comply, not the current 40 days
You can refuse or charge for requests that are ‘excessive’
If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority. You must do this within one month.
6. Processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.
7. Review how you seek, record and manage consent
You should review how you seek, record and manage consent, and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
8. Investigate your data breaches procedure
Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals.
You should put procedures in place to effectively detect, report and investigate a personal data breach.
9. Decide if you need data protection officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer (DPO).
10. International implications
If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
This is only relevant where you carry out cross-border processing – i.e. you have establishments in more than one EU member state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states.