With only 12 months until the General Data Protection Regulation (GDPR) takes effect across Europe, organisations should be well on their way to ensuring compliance from 25 May 2018.
The GDPR is part of an overall package of data protection reform. To assist organisations in their preparation we have set out some of the key changes below. We have also set out steps that organisations should be taking to prepare.
These points should be used to identify any areas of non-compliance within your organisation and to assist with implementing a mitigation strategy.
The GDPR is an opportunity to streamline data protection practices and should enable organisations to strip back data which is inaccurate, out of date or irrelevant.
Data processors will have a significant amount of preparation to do prior to the enforcement of the GDPR. Processors did not have statutory obligations under the Data Protection Act (DPA) but will now be subject to the Information Commissioners Office's (ICO) enforcement powers.
It is important for organisations to take the time to review and implement compliant data protection policies and procedures.
Key Changes
- Wider Scope - The GDPR shall apply more broadly to organisations, including those based outside of the EEA.
- Definition of Personal Data - Has been widened to include: identification numbers, location data and online identifiers, for example IP addresses and cookies.
- Consent - Conditions for obtaining consent are now stricter. Consent should be freely given, specific, informed, unambiguous, distinguishable and easy to withdraw as well as specific to each processing activity.
- Increased Individual Rights - An increase in the rights of individuals to request information regarding the storing and processing of their personal data.
- Direct Obligations on Data Processors - For the first time obligations shall be imposed on processors as well as controllers.
- Data Protection Officers - DPOs have become a legal requirement for certain types of organisations.
- Breach Notification - Notification requirements have been significantly updated as part of the GDPR.
- Harsher Penalties - Maximum fines have been vastly increased.
How to Prepare
- Audit - Organisations should conduct an audit of all data processed to ensure any unnecessary or outdated personal data is deleted. This will help to map the data flows within the organisation.
- Policies - These should be reviewed to ensure compliance or created if they are lacking.
- Reliance on Grounds for Lawful Processing - Ensure clarity on which grounds are being relied on.
- Consent - If relying on consent as a grounds for processing it should be active and organisations should not rely on pre-ticked boxes. The consent must also relate specifically to the purposes of the processing.
- Evidencing Compliance - Organisations should now be keeping paper trails of decisions in respect of data processing and carrying out privacy impact assessments where required.
- Internal Breach Procedures - These should be updated, including preparation of incident response plans.
- Training - All members of staff will need to be trained on the new rules; any person who is likely to receive requests should be taught how to deal and respond with such.
- DPO - Organisations should check whether they are under a requirement to appoint a DPO.
- Review - A check should be completed on existing supply chains, contracts and templates, as some of these may need to be renegotiated. Additionally, insurance arrangements should be reviewed to check that coverage extends to data breaches.
