Since the last significant change in data protection laws in the UK and Europe, the world of information technology has experienced a paradigm shift. Who would have thought we would be holding, sharing and viewing so much personal information, with access to encyclopaedic quantities of personal data, truly at the touch of a button?
Getting it wrong could be costly in terms of reputation, lost business, and now, credible financial penalties of €20m or 4% of worldwide annual turnover, whichever is the greatest.
The EU General Data Protection Regulation (“GDPR”) is a belated overhaul of the European data protection legislation, which will make firms “processing” or “controlling” personal data make wholesale changes to the way in which this data is identified, stored, protected and destroyed.
What firms will be subject to GDPR?
In short, all firms will be subject to GDPR, if those firms are “Controllers” or “Processors” of personal data. To clarify, Controllers are “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” Processors are defined as, “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
What do firms need to do?
The UK’s Information Commissioner’s Office (“ICO”) has put together a useful outline of the steps organisations need to take to become compliant.
Firms should make sure that decision-makers and key people in their organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have, which could be significant in terms of operations and cost.
Firms should document what personal data they hold, where it came from and who it is shared with. This may involve an information audit across the organisation or within particular business areas.
Firms should review their current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Firms should check their procedures to ensure they cover all the rights that individuals have, including how firms would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including
Firms should update your procedures and plan how you will handle requests to take account of the new rules:
- In most cases, firms will not be able to charge for complying with a request.
- Firms will have a month to comply, rather than the current 40 days.
- Firms can refuse or charge for requests that are manifestly unfounded or excessive.
- If firms refuse a request, they must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. Firms must do this without undue delay and at the latest, within one month.
Firms should identify the lawful basis for their processing activity in the GDPR, document it and update their privacy notice to explain it.
Firms should review how they seek, record and manage consent and whether they need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Firms should start thinking now about whether they need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
Firms should make sure they have the right procedures in place to detect, report and investigate a personal data breach.
GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
Firms should designate someone to take responsibility for data protection compliance and assess where this role will sit within the organisation’s structure and governance arrangements.
If a firm’s organisation operates in more than one EU member state, it should determine its lead data protection supervisory authority and document this.