General Data Protection Regulation – The countdown has begun.
General Data Protection Regulation – The countdown has begun.
What should businesses be doing now to ensure that they are demonstrating compliance by 25 May 2018?
It is now less than a year until the GDPR comes into force and the level of interest (and perhaps a little perturbation) from clients is rising. The key concern seems to be with regard to what clients need to do in order to actively be demonstrating compliance by 25 May next year.
The other concern is whether the GDPR will even apply given our impending Brexit and the uncertainty that this entails. What is clear, is that even though the UK will be in formal negotiations to leave the EU by that date, we will not have left the EU by May next year and so the GDPR will become law in the UK. In any event, even after Brexit, any businesses processing personal data through the supply of goods or services into the EU will still be required to comply with the GDPR. Furthermore, it is highly unlikely that the UK government will repeal the legislation in order to relax data protection laws post Brexit.
Businesses should not be alarmed by the introduction of the GDPR. It is not intended to throw a spanner in data processing works of your business. It is intended to make you look at your current data practices and to tighten up in areas where it falls short of expected standards. It is essential to consider the rights of data subjects when collecting and processing personal data and to keep these rights in the forefront of your business activities.
So what should you be doing? There is much that you can be doing now to ensure that the business is compliant in time. This is our 10 point plan for steps to take now – it is not intended to give you detailed guidance, but is to start you on your journey:
- Awareness – The GDPR will impact on your business and the way that you collect, process and store personal data. It is essential that you have the ‘buy in’ from key decision makers within the business. The first step to take is to ensure that the Board is fully briefed on the law coming in and that they support any changes which the business may need to make.
- Audit – The second step is a fundamental one – you need to document what personal data you hold, where it comes from, why you hold it and for how long it is required, and who you share it with. If any ‘sharing’ goes outside of the EEA it is important that this is noted. We suggest that you separate out each department within the business (as they may hold and process data in different ways) and allocate this task to the department leaders.
- Privacy Notices and Fair Processing Notices – Review your current privacy notices and update them in line with the GDPR which requires that individuals be given more information about what data you hold, the purpose for which it is being processed, how long you are going to hold it for, who else will see it. You must also inform individuals of the rights that they have with regard to their data.
- Be aware of the new rights for individuals – A new raft of rights called ‘Delete it, Freeze it, Correct it’ are being introduced allowing data subjects the right to delete, freeze and correct inaccurate data. Data portability is also being introduced which will allow data subjects the right to transfer data from one controller to another.
- Time frames for Subject Access Requests – Previously, Subject Access Requests (“SARs”) had to be responded to within 40 days. This is changing under the GDPR and must be responded to without undue delay and within one month, with an extension of two additional months if necessary, taking into account the complexity of the request. The current £10 fee applicable to requests under the Data Protection Act 1998 will be abolished. However, where a request is “manifestly unfounded or excessive” the employer may either charge a “reasonable” fee, taking into account administrative costs, or may refuse to act on the request altogether. Clearly this is a significant change and a refusal to act altogether is not something to be used lightly – such a refusal will require clear and justified reasoning which must be fully documented. What is “manifestly excessive” will depend on the specific circumstances, but it is hoped that the ability to either charge a reasonable fee or refuse to act altogether COULD have the potential to discourage vexatious and onerous requests. It is intended that where requests are substantial, the revised rules should lead to a dialogue between the business and the data subject. This should lead to clarity on what information the data subject wants and how to handle the request, with the fall-back of the regulator if either side is being unreasonable. If nothing else, the new rule should inhibit requests encompassing thousands of emails requiring days of work from a team of people.
- Consent – The giving of consent by a data subject is one of the gateways (and is the least controversial gateway) through which a business can establish a legal basis for processing personal data. As you might expect, the GDPR sets out stricter and more detailed conditions for the obtaining of consent: the onus is on the business to show that consent has been given and such consent must be freely given, specific, informed and unambiguous. It will not be considered freely given if there is no genuine free choice. At present, many businesses obtain consent for processing personal data by the use of standard provisions in either their employment contracts (in respect of employees or volunteers) or standard forms. In general, standard forms are offered on a “take it or leave it” basis, under which an individual has no real choice. This means the consent obtained in the contract is unlikely to be effective from May 2018. The ICO suggests that if consent is given by means of a written declaration, the request must be made in a manner that is clearly distinguishable from other aspects of the document and is currently recommending that the individual gives specific consent using a separate signature box. As is currently the case, an individual has the right to withdraw consent at any time but the GDPR requires that he/she must specifically be informed of this right by the business. The principle is that it must be as easy to withdraw consent as it is to give it.
- Data breaches and impact assessments – You should familiarise yourself with the ICO’s guidance on impact assessments as there will be a requirement to conduct them ‘regularly’. You should work out what the risks are to the business, how those risks can be minimised and when the risks are escalated by a change in business practise.
- Data protection by design – Subject to what is technically practicable and subject to cost, businesses will need to build in safeguards to comply with the new rules. Measures must be taken to minimise data collected, ensure it is processed ONLY for the specific purpose for which it was obtained; and ensure that the data is retained for no longer than is strictly necessary in the circumstances.
- Documentation – In order to demonstrate compliance, businesses should have comprehensive data protection policies for the internal handling of data; up to date employment contracts and privacy policies for the staff and, where appropriate, the public; impact assessments and a SAR response.
- Data Protection Officers – The data protection officer can be an employee but should be independent when reporting to the Board. It will be compulsory to appoint a DPO where core activities involve large scale processing of sensitive data or if you are a public body. Regardless, it is advisable to appoint a DPO as being the person who will take charge of the business’s compliance.
If you want to know more about the impacts of the GDPR on your business please contact me.