From 25 May 2018 the Data Protection Act 1998 (DPA) will be replaced by the General Data Protection Regulation (GDPR). The new law will allow the regulator to fine organisations the greater of €20,000,000 or 4% of group worldwide turnover for breaches of personal data. Such fines could potentially put some organisations out of business.
We think the changes required by the GDPR are so fundamental to the way you gather, use and store personal data that you will not have time to make the changes if you leave it too late. There is also likely to be a shortage of properly qualified individuals to help implement the GDPR within your organisation to deliver the requirements of the GDPR. You should therefore start the process of preparation now so that your organisation is not exposed to the risk of action from the regulator in 2018.
Raise awareness – make sure key decision makers within your organisation know the law is going to change and the impact it will have. The GDPR is likely to have an impact on your resources and you should start the preparation process now.
Audit the information you hold – you need to know what personal data you hold, where it came from and who you share it with so that you can comply with some of the new aspects of the GDPR.
Check individual rights – the GDPR will include increased data subject rights and new rights of data portability and a right to be forgotten. Now is a good time to check you will be able to comply with your new obligations.
Prepare for subject access requests under the GDPR – most organisations often struggle to comply with the current obligation to respond to subject access requests within 40 days. The GDPR will require subject access requests to be complied with in a month and will require additional information to be provided. You will no longer be able to charge for answering requests. You need to check your procedures now to make sure you will be able to comply with the new requirements under the GDPR.
Establish your legal basis for processing – the GDPR requires you to be able to identify the legal basis for each type of data processing you carry out and to document it in a processing record. Most organisations currently assume they can process personal data for their normal operations but cannot say how the law allows this use. The GDPR will allow the supervisory authority access to your processing record on request so you must make sure you have one. You should start looking at this now so that you are ready in 2018.
Review the consent notices you rely on – do you rely on consent for any of your processing activities? Many organisations rely on consent for marketing activities but some use it to enable them to use data for other purposes. If you do rely on consent, you need to review this in time for the introduction of the GDPR. All consent now will effectively have to be explicit consent – you will no longer be able to rely on deemed consent and you will need to be able to demonstrate that consent was given.
Work out if you process data about children – The GDPR has specific protection for children. You need to work out what data (if any) you hold about children. If you gather personal data about children you will need to put in place systems to verify the child's age and to get parental consent for the data processing activity.
Consider your data breach response readiness – the GDPR requires you to notify all breaches of personal data, unless they are unlikely to result in a risk to the rights and freedoms of individuals. Breaches must be reported promptly (without undue delay) and in any event within 72 hours. You are also under an obligation to notify some breaches to those affected by the breach. You need to make sure you have in place the right procedures in place to detect, report and investigate breaches.
Start using data protection impact assessments – the GDPR will require you to adopt a privacy by design approach whereby you build in privacy concerns into your business and projects. Part of this process is the obligation to carry out data protection impact assessments in certain high risk situations. You should start using data protection impact assessments now to get ready for their use in 2018 when it will be mandatory.
Check whether you need a data protection officer – many organisations will be required to employ a data protection officer (DPO). This will include any organisation which undertakes the regular and systematic monitoring of data subjects on a large scale. The DPO will be responsible within the organisation for data protection compliance.
Establish the international transfers you engage in – if you operate in more than one European country you will need to decide which data protection authority you will fall under. All organisations will be supervised by a single authority even if they operate in different countries. If you are uncertain which authority will oversee you, you should work out where your most significant data processing decisions are made.
Through our strategic partnership with Ward Hadaway law firm, Ward Hadaway have a team of company and Data Protection law experts who have in-depth knowledge of the new law and can provide you with clear, practical advice on how to make sure your company meets its legal obligations.
They can help you understand your current state of compliance and your state of readiness for the new law. They can help you to identify your key data protection risks and work with you to treat, transfer or remove risks and work out which risks you can put up with as well as working with you to develop your data protection documentation and processes so that you are ready for the introduction of the GDPR.