UK data protection law will change on May 25, 2018 when the EU General Data Protection Regulation (GDPR) takes effect, replacing the Data Protection Act 1998.
With less than four months to go, Taibah Khan sets out what GDPR is and what businesses should be doing to become GDPR compliant.
What is GDPR?
The European General Data Protection Regulation is built around two key principles. Giving citizens more control of their personal data and simplifying regulations for all EU businesses and those businesses contracting with customers in the EU.
The government has confirmed that Brexit will not affect the GDPR start date. It’s also confirmed that post-Brexit, the UK’s own law (or a newly-proposed Data Protection Act) will directly mirror the GDPR.
Businesses should be aware of their obligations under the GDPR and should prepare for compliance with the GDPR now in order to mitigate the risk of incurring large scale fines for non-compliance. Businesses may face fines of up to €20m or 4 per cent of the total worldwide annual turnover of the preceding financial year.
So what should businesses be doing to become compliant?
Review procedures for data breaches and security
There will be mandatory requirements to report data breaches to supervisory authorities, and in some cases to data subjects.
Businesses should carry out a review of security measures to ensure they are robust enough to meet the requirements of GDPR. Data should be password protected in case of unauthorised access where possible.
It’s also important to review and revise data breach response plans to ensure you can manage, contain and respond to breaches quickly, and notify the relevant supervisory authority within 72 hours.
Establish and implement data protection
Due to the new concept of accountability in the GDPR, you will no longer have to register or notify supervisory authorities of their processing activities. Instead, data controllers will have to implement appropriate technical and organisational measures to demonstrate that their data processing is performed in accordance with the GDPR.
Create awareness
You should start to educate and create awareness of the new GDPR regulations among the key members of your organisation. Consider the changes required to the business’s current practices, such as:
- expanding transparency (update privacy notice)
- obtaining consent (update consent mechanisms)
- specific data processor obligations (update service contracts)
- adopt privacy by design and default concepts
- conducting required data protection impact assessments (DPIAs)
- prepare for new documentation (record keeping requirements)
- review data protection and security measures
- consider the impact of expanded data subject rights
Lawful processing
Businesses will have to explain the legal basis for processing personal data in its privacy notices and when responding to a data access request. The types of data processing carried out should be reviewed, be made clear about the legal basis for carrying it out, and document it.
Update policies on how data is collected
You should review your current policies and put a plan in place for making any necessary changes in time for GDPR implementation, in particular, you should start to review and communicate privacy notices to your customers informing them how you process their data.
All privacy notices and/or policies will need to be reviewed and revised to comply with the additional information requirements and ensure that processing is fair and transparent.
Subject access requests
Firms should be aware that there will likely be an increase in access requests, and there may be a need for increased administrative resources to deal with them. Businesses will be obliged to respond to access requests within one month unless they are ‘manifestly unfounded or excessive’ or a national legislative measure allows access to be refused.
Procedures for handling data access requests will need to be reviewed and updated to provide the additional information which data subjects are entitled to.
Individual rights
The GDPR provides individuals with increased rights, and more transparency. Firms should review and revise privacy notices, policies and procedures in order to meet the new rights of individuals and ensure that staff know how to respond to requests for rectification; erasure; data portability; restriction of processing requests or objections to the processing.
In particular, businesses will need to ensure appropriate IT systems are in place to deal with the right to erasure, restriction of processing and data portability.
Data privacy by design, by default and privacy impact assessments (PIAs)
Going forward, it’s vital that businesses consider data privacy obligations when designing and developing new products and services.
It need to be assessed whether data processing activities are likely to present ‘high risk’ to individuals, and if so, ensure that a PIA is carried out to address GDPR-specific factors. Firms should consider preparing a template PIA which can be completed each time a new data processing project is embarking on.
For further information and assistance on how we can help your business become GDPR compliant, please contact Taibah Khan on 0161 761 4611 or email her at Taibah.RehmanKhan@whnsolicitors.co.uk