Data Protection Time To Prepare For The GDPR
The General Data Protection Regulation will come into force in May 2018. Although the UK has voted to leave the EU businesses cannot ignore this major EU piece of legislation. All businesses need to prepare for the GDPR as it is highly likely that the UK will still be a member of the EU when it comes into force and, even after Brexit, UK businesses that offer goods and services to, or monitor the behaviour (within the EU) of, EU data subjects will still need to comply.
So what does the Information Commissioner (ICO) advise?
All decision makers and key people in your organisation need to be aware of the GDPR; plan for its implementation and allocate resources
2. Information you hold.
All information held should be documented including where it came from and who you share it with. Businesses will need to comply with the accountability principle in the GDPR which requires organisations to show how they comply with the data protection principles.
3. Communicating privacy information.
Review current privacy notices and plan for necessary changes such as the new requirement to explain the legal basis upon which you process data; your data retention periods and the data subject’s right to complain to the ICO if they think there is a problem with the way in which your organisation handles their data.
4. Individuals’ rights.
Check your procedures to ensure that they cover all of the rights that a data subject has. In general these are the same as under current legislation but with enhancements. Consider if you could comply with these rights; check your procedures and implement new policies.
The main rights are:
- Subject access
- To have inaccuracies corrected
- To have information erased (otherwise called the right to be forgotten)
- To prevent direct marketing
- To prevent automated decision-making and profiling
- Data portability
5. Subject access requests.
The rules are changing. In most cases no charge will be able to be made and normally businesses will have 1 month to comply rather than the current 40 days. Additional information must also be supplied such as the length of data retention periods and the right to have inaccurate data corrected. Update your procedures for handling subject access requests to cater for this.
6. Legal basis for processing personal data.
Organisations need to identify the legal basis on which they process data and document it. This is necessary as some of the rights of the data subjects will differ depending upon the legal basis for processing their data.
Data Protection Time To Prepare For The GDPR
Review how you seek, obtain and record consent. Consent must be a positive indication of agreement so it cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be given freely and it must be specific, informed and unambiguous.
You need to put in place systems to verify individuals’ ages and to gather parental or guardian consent if you collect information about children. In the UK if you collect data about anyone under 13 then consent from a parent or guardian will be required. Privacy notices will need to be written in language that children will understand.
9. Data Breaches.
Notification of breaches where the data subject is likely to suffer some form of damage, for example identity theft or a confidentiality breach, will have to be notified to the ICO. Procedures to detect, report and investigate personal data breaches will be required. Any failure to report a breach when required to do so could lead to a fine.
10. Data Protection by Design and Data Protection Impact Assessments.
The ICO has already produced guidance on privacy impact assessments (PIAs). The guidance shows how PIAs can link to other processes such as risk management and project management. PIAs are required in high risk situations such as when a new technology is being deployed or a new profiling operation is likely to significantly effect individuals.
11. Data Protection Officers.
Some organisations (such as public authorities and those whose activities involve the systematic and regular monitoring of data subjects on a large scale) will need to designate a data protection officer. In general organisations should ensure that someone, whether an employee or third party advisor, takes responsibility for data protection compliance.
If you are an international organisation you need to determine which data protection supervisory authority you come under. This is the authority where the organisation has its main administration function or where the decisions about data protection are made.
If you would like advice on how the GDPR may affect you then please talk to Tollers on 01908 396 230 and ask for Liz Appleyard in our Commercial Law Team, who will happily assist you.