The General Data Protection Regulation (GDPR) will replace the current Data Protection Directive on which the UK Data Protection Act 1998 (DPA) is based and apply in all member states from 25 May 2018.
What about BREXIT?
The widely held view is that even though the UK has voted to leave the EU, the UK will still wish to be considered an “adequate” jurisdiction for data protection to enable trade with the EU. The government will be considering the impact of BREXIT on the GDPR but it is likely that the UK will adopt the same data protection provisions or at least very similar provisions with the GDPR.
What should businesses be doing now?
It is prudent for businesses to begin preparing for the GDPR now. Fines for non-compliance under the GDPR are set to escalate to be the greater of 4% of an annual worldwide turnover or €20,000,000 for breach of data protection principles, failing to comply with conditions for consent, data subjects’ rights and international data transfer.
The Information Commissioner’s Office (ICO) have published guidance on preparing for the GDPR and also details of the GDPR guidance organisations can expect to receive and when.
The links for this guidance are set out below and are summarised in 12 guidance steps as follows:
Ensure key decision makers are aware of:
- The law changing to the GDPR (once formally adopted)
- Likely impact, particularly in areas likely to cause compliance problems
- Resource implications for achieving compliance.
2. Information audit
Organisations are advised to document the following:
- Personal data held (across the organisation and within particular departments).
- Where the data originated from.
- With whom the data is shared.
3. Communicating privacy information
Organisations should review privacy notices in light of anticipated GDPR changes. Changes include the requirement to explain in a short, simple and clear manner the following:
- The legal basis for processing data.
- Data retention periods.
- The right to complain to the ICO
4. Individuals' rights
Procedures should be checked to ensure that they cover how to properly manage a request from an individual seeking to exercise their GDPR rights. These rights are mainly the same as those under the Data Protection Act, but additionally GPDR rights arise around preventing profiling and a new right to data portability.
5. Subject access requests
Organisations should update policies and procedures to handle new GDPR features in relation to subject access requests:
- A new one month time limit to respond (rather than 40 calendar days).
- Providing data subjects with extra information, such as on data retention periods and on their right to have inaccurate data corrected.
- In most cases organisations will not be able to charge for complying with a request.
- Manifestly unfounded or excessive requests may be charged for or refused, so clear policies to justify such decisions should be created.
- The ICO recommends conducting a cost-benefit analysis for providing data subjects with online access to their information.
6. Legal basis for processing personal data
The guidance suggests that organisations should:
- Examine the types of data processing the organisation carries out.
- Document the legal basis for carrying out each type of processing (broadly the same as those in the DPA), which will also assist with meeting GDPR accountability requirements.
- Set out the legal basis for processing in privacy notices and when responding to subject access requests.
- The guidance points out that individuals will have a stronger right to have their data deleted where consent is the legal basis for processing.
The GDPR contains additional measures around consent. "Consent" or "explicit consent" must be freely given, specific, informed and unambiguous. Consent must also be a positive indication of agreement to data processing - it cannot be inferred from silence, pre-ticked boxes or inactivity. Therefore, the ICO recommend that organisations do the following:
- Review how consent is sought, obtained and recorded.
- Consider whether alterations or alternatives to consent mechanisms are necessary to meet the GDPR requirements and to provide an audit trail for demonstrating consent.
There will be special protection for children’s personal data and organisations will need to consider systems to use for verifying individual ages and to obtain parental or guardian consent, which the GDPR will require to lawfully process a child’s data.
9. Data breaches
The GDPR will introduce a general duty to notify the ICO of certain types of breaches. This differs from the current regime where only certain types of organisations must report breaches by law.
10. Data Protection by design and Data protection impact assessments
The guidance suggests that organisations:
- Adopt a privacy by design and data minimisation approach to all activities involving data processing, as this will be compulsory under the GDPR.
- Become familiar with the ICO's guidance on Privacy Impact Assessments (PIAs).
- Assess situations where it will be necessary to conduct a PIA.
11. Data Protection Officers
Under the GDPR, a new obligation arises to appoint a Data Protection Officer (DPO) in certain cases.
A new GDPR one stop shop system will change the way complaints involving processing across multiple member states are assigned amongst data protection supervisory authorities. An organisation needs to determine which data protection supervisory authority applies to it, if it operates internationally.
Where can I find the guidance?
You can also subscribe to ICO’s newsletters to help keep up to date with developments
The above guidance is an initial steer on the action points organisations need to take in relation to the GDPR and compliance. It is not something that should be put on the back burner, but needs to be considered by organisations now.