Although the 25 May 2018 deadline has passed, this is not the end of the compliance journey for organisations.
Initial preparation was made easier for businesses by the introduction of a 12 step checklist by the Information Commissioner’s Office (the ICO), which we have detailed here. This checklist highlights and codifies the essential steps for businesses to take in order to prepare for the GDPR.
GDPR change: The GDPR will significantly amend current data protection law. Not everyone within an organisation will be aware of this.
Action to be taken: Make the GDPR reforms known to key people in the business (e.g. those with supervisory or decision making powers), and make them aware of the effects of such reforms.
GDPR change: If a business has shared inaccurate personal data with another organisation, the GDPR requires that the business notify that other organisation of the inaccuracy. As part of the new accountability principle, businesses will also have to be able to show how they comply with the data protection principles.
Action to be taken: Businesses should consider undergoing an information audit which documents the personal data held by them, the source of such data and details of with whom they share the data.
GDPR change: Additional information must be given to individuals when their personal data is obtained.
Action to be taken: Review current privacy notices/policies and identify those areas which will require updating to ensure compliance with the GDPR.
GDPR change: Individuals will have enhanced rights to:-
Action to be taken: Review privacy/data protection procedures and policies to ensure that they provide for each enhanced right under the GDPR.
GDPR change: Current rules for subject access requests are changing – timescales for compliance will be reduced, fees will generally no longer by chargeable and additional information will require to be provided to individuals e.g. about data retention periods and the right to have inaccuracies corrected.
Action to be taken: Review and update current procedures for handling subject access requests.
GDPR change: The legal basis for processing will need to be explained in privacy notices and when responding to subject access requests. The rights afforded to individuals will vary depending on the legal basis for data processing.
Action to be taken: Review the data processing done by the business and then identify and document the legal basis for processing.
The GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and the GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.
GDPR change: Parental or guardian consent must be obtained to process personal information of children (i.e. those under 13 in the UK). Consent must be verifiable and written in child friendly language.
Action to be taken: Create and implement new practices for (i) verifying the age of individuals and (ii) obtaining parental or guardian consent when processing the data of children.
GDPR change: The GDPR widens the number of businesses obliged to notify the ICO and private individuals of data breaches. Failure to comply with this obligation may lead to significant fines by the ICO.
Action to be taken: Ensure that there are procedures in place to detect, investigate and report on personal data breaches. The ICO suggests assessing the types of data held and documenting which ones would trigger notification in the event of a breach.
GDPR change: Organisations must adopt ‘privacy by design’ (i.e. an approach that promotes privacy and data protection compliance from the outset). Organisations should also carry out a Data Protection Impact Assessment (“DPIA”) in high-risk situations. If processing is high risk, the ICO should be consulted on whether processing complies with the GDPR
Action to be taken: Know when DPIAs should be used, who should be involved and the process to be adopted. Look at the ICO’s guidance on Privacy Impact Assessments for further information.
GDPR change: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance.
Action to be taken: Where required, identify and designate a Data Protection Officer – this can be someone within or outside the organisation. This will be an important role for the organisation in terms of ensuring compliance with the GDPR. Select someone who has suitable experience.
GDPR change: The GDPR creates a system for determining which data protection supervisory authority takes the lead when investigating a complaint which is international in nature.
Action to be taken: If operating internationally, determine which data protection supervisory authority will be the lead supervisory authority for the business. If the organisation is complex with decisions regarding data processing activities being made in different places, the ICO recommends that businesses map out where the most significant decisions are made to determine the main establishments and then the lead supervisory authority.
Here at MacRoberts, we have extensive knowledge and experience in dealing with compliance and regulatory matters. We can help you with the assistance you need to take proactive measures in ensuring compliance to stop you falling foul of any relevant laws and regulations.
Our Compliance and Regulatory team, headed by Partners David Flint, David Gourlay and Val Surgenor, has an impressive reputation in the legal and commercial markets and take the time to understand your business, your drivers and your risks, tailoring the advice we provide around you.
We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.