GDPR (General Data Protection Regulation) is coming into force on 25th May 2018 and will overhaul data protection laws in the UK. In this article Jeremy Parkin, Partner in the Corporate department here at Wilkes, examines what actions you should begin taking now ahead of the impending GDPR deadline.
1) Establish the personal data which you hold
Conduct an audit/assessment of the data you currently hold and document this, including what data is held; how it is stored; where you obtained the data from; identifying the purposes for which the data is used; establishing the lawful basis for using the data and identifying who that data is shared with (if anyone). An audit/assessment will help to demonstrate compliance with the new ‘accountability’ requirement under the GDPR (that is you must show how you comply with the data protection principles under the GDPR).
2) Review your privacy notices
Review your privacy notices and prepare for changes (if necessary) to ensure that they are GDPR compliant. The GDPR will require privacy notices to be transparent, concise, clear, easy to understand and to include details of the lawful basis for processing personal data, data retention periods and an explanation of individuals rights under GDPR.
3) Review your consents
If you rely on consent as the legal basis for processing then you will need to review how you gain, record and manage those consents. If any existing consents do not meet the GDPR standard then you will need to refresh them. Consents should be freely given with positive action (freely given can be difficult to establish where there is an imbalance in the relationship, such as between employee and employer); consents should be specific and people must be able to easily withdraw their consent. Positive action will require an opt-in instead of relying on pre-ticked or opt-out boxes. In addition to the GDPR, you also need to consider specific rules under the Privacy and Electronic Communications Regulations in relation to direct marketing.
4) Sharing with third party organisations within the EEA
If you share data with other organisations, you should review the contracts which you have in place with such organisations to ensure that they are GDPR compliant. If you use data processors for all or any processing of data for which you are a controller, then you must have a written contract in place and ensure that such contracts are GDPR compliant.
5) Review of Procedures and Policies
Conduct a review of your internal procedures and policies to ensure that they are GDPR compliant which may also help you to demonstrate compliance with the accountability requirement. Such reviews should include reviews of internal data protection policies (including staff training on GDPR) and ensuring that you implement measures that meet the principles of data protection by design and data protection by default (including data minimisation and having data protection at the heart of new products or new processing). You should also ensure that policies cover how you would address the rights of individuals (for instance, how you would delete data if requested to do so).
If your organisation has more than 250 employees, you will be required to maintain internal records of your processing activities. If you have less than 250 employees you are required to maintain records relating to higher risk processing activities. However, this would be a good exercise and record to have in place whatever your size.
6) Data Breaches
You should review your policies in respect of data breaches to ensure that that you have procedures in place to detect, report and investigate a data breach. If there is a breach, then under the GDPR you may be required to notify the ICO of this, as well as any individuals concerned.
7) Subject Access Requests
The GDPR has reduced the time period in which you must respond to subject access requests to within a month. You should therefore update your procedures and plan how you will handle requests, including how to handle requests more quickly.