Are you ready for GDPR?
The General Data Protection Regulation (GDPR) is a new legal framework that applies in the UK from May 2018. Regardless of Brexit, The UK Government have confirmed that the decision to leave the EU will not affect the commencement of GDPR.
If you are currently subject to the UK Data Protection Act 1998 (DPA), it is likely that you will be subject to the GDPR. If you currently comply with the DPA then most of your approach to compliance will remain valid for the GDPR, but there are some differences in the new regulation such as:
- The definition of personal data has been extended to include online identifiers such as IP addresses and cookies;
- Additional obligations on Data Controllers to ensure contracts with Data Processors comply with the GDPR;
- Consent requires some form of clear affirmative action and must be verifiable;
- New provisions for the protection of children’s personal data;
- New rights for individuals;
- Enhanced requirements for the implementation of comprehensive but proportionate governance measures to minimise the risk of breaches;
- A duty on all organisations to report certain types of data breaches;
- The Data Controller is responsible for and should be able to demonstrate compliance with the GDPR principles.
Failure to comply with the GDPR could result in fines of up to 20 million Euros or 4% of global annual turnover, whichever is greater.
The Information Commissioners Office (ICO) has produced some guidance for organisations but in summary, a GDPR readiness assessment should be conducted to identify any gaps in compliance and plan your approach to GDPR.
The ICO provides a 12 step approach which is summarised below:
- Ensure that senior management are aware of the changes and the impact of GDPR. Many organisations believe that information and its security is the responsibility of IT. The business owns the information within the organisation and the associated security risks. A Senior Information Risk Owner (SIRO) should be assigned by the board to act as the point of contact for risk ownership decision making on behalf of the board (although the bard as a whole is still responsible).
- Identify and document the personal data you hold. It is good practice to document all data types (financial, operational etc.) but for GDPR, organisations have a responsibility to ensure personal data is accurate. You can’t do this is you don’t know what personal data you hold. Appoint Information Asset Owners (IAOs), typically heads of business areas/departments to take ownership and accountability for data.
- GDPR introduces new requirements for privacy statements i.e. what you should tell people when you collect their personal data such as your legal basis for processing the data, your data retention period and the invidual’s right to complain to the ICO if they believe there is an issue with the way you are handling their data. Review your current privacy notices to identify any gaps in compliance and implement a plan to change them if required.
- Check your procedures to ensure all the rights of individuals are covered. The main rights for individuals under GDPR are:
- Subject access
- To have inaccuracies corrected
- To have information deleted
- To prevent direct marketing
- To prevent automates decision making and profiling
- Data portability
- Organisations currently have 40 days to respond to subject access requests. This has changed to a month under the GDPR and in most cases, you will not be able to charge for complying with a request. Existing data procedures should be updated to account for the new timescales.
- Identify your legal basis for data processing and be prepared to explain it in your privacy notice and when you answer a subject access request. The legal bases in the GDPR are broadly similar as those in the DPA but they should be documented to help with compliance with the accountability requirements.
- Review how you are seeking, obtaining and recording consent and whether any changes are required to comply with the GDPR. The main new requirement is that consent has to be a positive indication of agreement to personal data being processed. Consent has to be verifiable and Data Controllers must be able to demonstrate that consent was given.
- If you collect personal data on children (probably be defined as anyone under 13) then there are some additional requirements under the GDPR. Consider implementing systems to verify ages and the gathering of parental or guardian consent for data processing. The GDPR puts greater emphasis on the protection of children’s personal data particularly in online environments. Privacy notices must be written in language children will understand.
- Ensure you have procedures in place for the detection, reporting and investigation of personal data breaches. Where a breach results in some sort of damage to an individual such as identify theft or unauthorised access to personal data, the breach has to be reported to the ICO. In some cases, you will have to notify the data subject(s) of the breach. Failure to notify of a breach could result in a fine as well as the fine for the breach itself.
- Implement a process to conduct Privacy Impact Assessments to identify the most effective way to comply with data protection obligations and meet individuals’ expectations or privacy. PIAs should be part of organisational risk management and project management processes. Identify conditions for when a PIA is required and who would conduct it.
- Assign a Data Protection Officer or someone to take responsibility for data protection compliance. This is a requirement for public authorities or organisations that regularly collect and process large quantities of personal data.
- If your organisation operates internationally, determine which data protection supervisory authority the organisation comes under. The lead authority is determined according to where your organisation has its administration or where decisions about data processing are made. This authority would take the lead when investigating a complaint involving data processing in a number of Member States.