For the full briefing of what GDPR will do, click here.
We briefly mentioned GDPR in our August Bulletin, but for the businesses we work with who store and use a lot of data about their customers, this is really important. It is basically a long overdue and much needed revision to the DPA (Data Protection Act) however so much has changed it is a law unto itself.
The GDPR will:
- Increase the scope of data protection laws, both nationally and contextually
- Drastically increase the penalties for data breaches and infractions from a max of €500,000 to a max fine of €20,000,000 or 4% of your turnover, whichever is greater
- Cause significant changes to the way you record and process data
So here are the 11 things you need to do to successfully incorporate GDPR into your business.
1. Map your Data Flows
How are you going to comply with new data laws if you don’t know what data you have? Take some time to figure out exactly where your data is stored, where it goes and how it is handled. Once you have this information you can then begin to figure out how you’re going to comply with GDPR.
2. Identify Cross Border Transfers
There is a significant risk if data is “exported” outside EU, and you may do so only under certain conditions. Establishing an inventory will allow you to safely transfer data across different jurisdictions.
3. Identify third party providers and make sure they’re compliant
If you use third party providers such as pension companies then you’ll need to make sure they are compliant too.
4. Some businesses may need to appoint a Data Protection Officer (DPO)
You may need to appoint a data protection officer. These may be shared between organisations, but if you handle a lot of data they will be relied on to ensure compliance.
5. Don’t rely on consent
Consent to use data is much harder under GDPR. You must provide “accurate and full information” on how the controllers’ data is being used, and you must make it “as easy to withdraw consent as to give it”. Finally, consent is not freely given if there is an imbalance between the data subject and the controller – you may not make a service conditional on consent.
However there are other valid bases for processing:
- A contract that the individual has entered into, or asked for something to be done so they can be entered into a contract
- Complying with legal obligations
- Proportionate processing for a legitimate business interest (e.g. giving details to a debt collector – even though the individual has not consented, you have a “legitimate interest” to pass on the data).
6. Adapt your privacy notices and policies
A key part of staying fine free is to draft a new, thorough GDPR compliant policy which incorporates everything learnt from your data flow mapping and audit.
7. Consider privacy implications at all stages
Privacy impact assessment should be carried out as a matter of course when using an individuals’ personal data.
8. Get ready for data subject access requests
The £10 fee for data access is being scrapped – you must provide access to individuals’ data for free, and the time limit for compliance is being reduced from 40 days to one month. However in most HR related cases employers will have the flexibility to extend the time limit.
Training is essential and should take place in all levels of an organisation – it’s essential for everyone in your organisation to understand the significance of GDPR and the importance of protecting personal data.
10. Breach management
If you have been the victim of a breach, you will have 72 hours to report it to the relevant authorities – enforced by much easier and stronger punishment.
11. Identify your lead regulators – the “one stop shop”
For those of you who do trade across borders in the EU, you may appoint one lead supervisory authority (LSA). This organisation will have primary responsibility for the organisations processing of data. If you process personal data with no cross-border element you will be subject to your national data protection authority.
Following these steps should help you to align your business with the new legislation. What is important to remember is that GDPR is already law. While it will not be enforced til May 2018, this is an implementation period and ideally you should be conforming to the new rules as soon as possible.