The UK government has announced its decision to adopt the EU General Data Protection Regulation (GDPR) regardless of Brexit. This has been widely welcomed for bringing some much needed certainty to those holding and/or processing data.
The GDPR is due to take effect in the UK and EU member states from May 2018, and, in the UK, will replace the Data Protection Act 1998 (DPA).
Key changes to be introduced by the GDPR are:
- Greater control conferred on individuals over their personal data
- Stricter rules on organisations for obtaining consent
- Greater emphasis on keeping individuals informed
- Demonstrating compliance
- Privacy by design
- Strict rules on notifying breaches
- Increased fines for non-compliance (of up to 4% of global turnover)
- Direct obligations and liability for data processors
The GDPR keeps the spotlight on data security and safeguarding personal data to be exported outside the UK and the EEA.
The Information Commissioner’s Office (ICO) has advocated early preparation for GDPR implementation, and has published a 12 step checklist, summarised below.
Raise awareness of the impending changes amongst your organisation’s decision-makers and the likely impact this will have, particularly on compliance.
- Information Held
Conduct an audit of the personal data your organisation holds, where it came from and with whom it is shared.
- Communicating Privacy Information
Review your existing privacy notices (or privacy policies) in light of GDPR changes. Once implemented, the GDPR requires your organisation to explain its legal basis for processing, the retention period, and the right for data subjects to complain to the ICO.
- Individuals’ Rights
Check your existing procedures cover how to respond to requests from data subjects seeking to exercise their GDPR rights. While these rights are similar to those under the DPA, additional rights arise around profiling and data portability which you must take on board.
- Subject Access Requests
Update your organisation’s procedures for dealing with subject access requests to reflect changes introduced by the GDPR.
- Legal Basis for Processing
Assess the various types of data processing your organisation carries out to identify (and document) the legal basis for carrying out each type of processing.
Review the way your organisation seeks, obtains and records consent for data processing and make any necessary changes to become GDPR-compliant.
Consider adopting mechanisms to verify a person’s age, and always obtain a parent or guardian’s consent before processing children’s personal data – the GDPR introduces greater protection for children’s personal data.
- Data Breaches
Check that you have correct procedures in place to detect, report and investigate breaches – the GDPR imposes a general obligation to notify where breaches occur.
- Data Protection by Design and Data Protection Impact Assessments
Adopt a privacy by design approach and data minimisation approach. Your organisation should familiarise itself with ICO guidance, including on Privacy Impact Assessments – required to be undertaken where high risk processing is involved.
- Data Protection Officers
Consider if you need to appoint a Data Protection Officer (DPO). If your organisation is a public authority or its activities involve regular and systematic monitoring of data subjects on a large scale, you must appoint a DPO. Even if you are not so required, consider appointing someone responsible for data protection compliance within your business.
If your organisation operates internationally, consider which data protection supervisory authority applies to it under the GDPR’s new “one stop shop” approach to supervision.
Given the clock is now ticking, you need to take action now to ensure your house is in order. For help with preparing for the GDPR, please contact Anthony Lee or John Yates.