The General Data Protection Regulation (GDPR) is coming. It affects every organisation that handles data. There’s lots to do and you’ll need to act quickly if you want to be prepared.
To be ready for GDPR you’ll need to:
- Review and amend your privacy policies and notices.
- Establish a system for managing and correcting the data you share with other organisations.
- Ensure you are able to comply with the new Subject Access obligations.
- Review your legal basis for processing data, and ensure your consent management is compliant.
- Understand the requirement for Privacy Impact Assessments, and data breach reporting, and be prepared to use them.
- Put in place policies, procedures and monitoring processes to manage your compliance.
- Consider the need to appoint a suitably qualified Data Protection Officer.
- Train your organisation so that it understands the new rules and obligations.
Privacy policies and notices
Under the GDPR you’ll need to explain your legal basis for processing data and how long you will retain the data for, and tell data subjects they have a right to complain to the Information Commissioners’ Office if they think there is something wrong. The explanations that you give to data subjects must be easy to understand and concise.
Managing and correcting data
You’ll need to know what personal data you hold, where it came from and who you share it with because there is a new obligation to tell other organisations, who you’ve shared data with, about any inaccuracies in the data you shared. This is in addition to the current obligation to ensure the data you hold is accurate.
You will now normally have just a month to comply with a subject access request, and in most circumstances you won’t be able to charge for providing the information. When responding to a subject access request you’ll also need to explain our data retention period and the right to have inaccurate data corrected. When responding you will have to provide the data electronically and in a commonly used format where required by the data subject.
Processing and consents
Under GDPR rights of data subjects differ depending on the legal basis for their data being processed. If you rely upon consent for data processing the data subject’s rights are greater. You’ll need a system for understanding and managing the basis on which you process data, and if you rely upon consent GDPR makes it clear that you must be able to demonstrate that consent was given meaning that you will need an effective audit trail. If the data relates to a child you’ll also need their parent or guardian’s consent.
Privacy Impact Assessments and Data Breaches
In high-risk situations, for example in the use of new technology or where processing is likely to significantly affect individuals, you are likely to be required to carry out a Privacy Impact Assessments (PIAs). If this may apply to you you’ll need to put in place a process for implementing them in your organisation, including deciding who will take responsibility for them.
If you suffer a data breach you will be required to notify the Information Commissioners Office and if the breach might expose the affected data subjects to harm or loss you will also need to notify each data subject.
Systems and Controls
The GDRP introduces an accountability principle meaning you will need to be able to show you comply with the GDPR requirements, and have effective policies, procedures and auditing tools to demonstrate that compliance is being met. You should ensure somebody in your organisation takes responsibility for this and regularly reviews your systems and controls to ensure that they remain adequate.
Data Protection Officer
Organisations that are public bodies, or whose processing either involves (a) regular and systematic monitoring of data subjects on a large scale, or (b) large scale processing of special categories of data, will be required to appoint a suitably qualified Data Protection Officer.
Everybody in your organisation needs to know and understand how GDPR affects them. If you have a compliance failure you’ll need to be able to show what action you took to prevent it from occurring and that includes making sure that employees were properly trained on how to meet their obligations.
2018 may seem a long way off but there is a lot of work to do in order to be compliant and to be ready the key decision makes in your organisation need to understand their obligations now. GDPR imposes fines of up to 4% of turnover for non-compliance so make sure your organisation is prepared.
We are experts in regulatory compliance and regulatory technology. Speak to us today for a no-obligation discussions about how we can help.