EU GDPR – Actions to Take

How to prepare for the EU General Data Protection Regulation?

Whether you are at the start of a journey towards data protection compliance or you already have data protection compliance processes in place, you need to start planning now for the GDPR coming into force in 2018.

Initial preparation has been made easier for businesses by the introduction of a 12 step checklist by the Information Commissioner’s Office (the ICO), which we have detailed in our recent blog: ICO’s 12 Steps Checklist: How to Prepare for EU Data Protection Reforms. This checklist highlights and codifies the essential steps which businesses must consider now to prepare themselves for the GDPR.

The 12 Steps Checklist

GDPR change: The GDPR will significantly amend current data protection law. Not everyone within an organisation will be aware of this.

Action to be taken: Make the GDPR reforms known to key people in the business (e.g. those with supervisory or decision making powers), and make them aware of the effects of such reforms.

GDPR change: If a business has shared inaccurate personal data with another organisation, the GDPR requires that the business notify that other organisation of the inaccuracy.  As part of the new accountability principle, businesses will also have to be able to show how they comply with the data protection principles.

Action to be taken: Businesses should consider undergoing an information audit which documents the personal data held by them, the source of such data and details of with whom they share the data.

GDPR change: Additional information must be given to individuals when their personal data is obtained.

Action to be taken: Review current privacy notices/policies and identify those areas which will require updating to ensure compliance with the GDPR.

GDPR change: Individuals will have enhanced rights to:-

  • access their information;
  • have inaccuracies corrected;
  • have information erased;
  • prevent direct marketing;
  • prevent automated decision making and profiling;
  • data portability.

Action to be taken: Review privacy/data protection procedures and policies to ensure that they provide for each enhanced right under the GDPR.

GDPR change: Current rules for subject access requests are changing – timescales for compliance will be reduced, fees will generally no longer by chargeable and additional information will require to be provided to individuals e.g. about data retention periods and the right to have inaccuracies corrected.

Action to be taken: Review and update current procedures for handling subject access requests.

GDPR change: The legal basis for processing will need to be explained in privacy notices and when responding to subject access requests.  The rights afforded to individuals will vary depending on the legal basis for data processing.

Action to be taken: Review the data processing done by the business and then identify and document the legal basis for processing.

The GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and the GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.

GDPR change: Parental or guardian consent must be obtained to process personal information of children (i.e. those under 13 in the UK).  Consent must be verifiable and written in child friendly language.

Action to be taken: Create and implement new practices for (i) verifying the age of individuals and (ii) obtaining parental or guardian consent when processing the data of children.

GDPR change: The GDPR widens the number of businesses obliged to notify the ICO and private individuals of data breaches.  Failure to comply with this obligation may lead to significant fines by the ICO.

Action to be taken: Ensure that there are procedures in place to detect, investigate and report on personal data breaches. The ICO suggests assessing the types of data held and documenting which ones would trigger notification in the event of a breach.

GDPR change: Organisations must adopt ‘privacy by design’ (i.e. an approach that promotes privacy and data protection compliance from the outset). Organisations should also carry out a Data Protection Impact Assessment (“DPIA”) in high-risk situations.  If processing is high risk, the ICO should be consulted on whether processing complies with the GDPR

Action to be taken: Know when DPIAs should be used, who should be involved and the process to be adopted.  Look at the ICO’s guidance on Privacy Impact Assessments for further information.

GDPR change: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance.

Action to be taken: Where required, identify and designate a Data Protection Officer – this can be someone within or outside the organisation. This will be an important role for the organisation in terms of ensuring compliance with the GDPR. Select someone who has suitable experience.

GDPR change: The GDPR creates a system for determining which data protection supervisory authority takes the lead when investigating a complaint which is international in nature.

Action to be taken: If operating internationally, determine which data protection supervisory authority will be the lead supervisory authority for the business. If the organisation is complex with decisions regarding data processing activities being made in different places, the ICO recommends that businesses map out where the most significant decisions are made to determine the main establishments and then the lead supervisory authority.

Contact our Specialist Compliance and Regulatory Lawyers

Here at MacRoberts, we have extensive knowledge and experience in dealing with compliance and regulatory matters. We can help you with the assistance you need to take proactive measures in ensuring compliance to stop you falling foul of any relevant laws and regulations.

Our Compliance and Regulatory team, headed by Partners David Flint, David Gourlay and Val Surgenor, has an impressive reputation in the legal and commercial markets and take the time to understand your business, your drivers and your risks, tailoring the advice we provide around you.

We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.

If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs.

Tools

Print Friendly

Stay in touch with MacRoberts

Legal changes can have a dramatic impact on you and your business. To ensure you are kept abreast of the latest developments and have the knowledge to make timely, effective decisions, please sign up for our free updates.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close