With less than 12 months to go until the General Data Protection Regulation (GDPR) takes effect (from 25 May 2018) Ashfords' Chris Coughlan shares an outline of some of the key changes and provide some tips on what you can do to prepare.
The GDPR is part of an overall package of data protection reform. With the introduction of statutory obligations for data processors, the GDPR will have significant implications for any SaaS and Cloud Services. There is now a significant regulatory exposure for companies which was not previously a concern for them. It is important to be aware of these new regulatory burdens but it is also important to understand that good GDPR compliance will be beneficial from both a trust and commercial perspective.
An ability to demonstrate good GDPR compliance will increase confidence in your business which in turn will increase the value of your business. It will also assist companies in streamlining their data assets which can, in turn, assist with the commercialisation of those assets.
As we are now over halfway through the preparation period data protection should now be a priority for all businesses. To help you with your preparation we have outlined some of the key changes and we have provided an idea of some that you should be taking to prepare.
In addition to the GDPR, there is also a new ePrivacy Regulation working its way through European legislature scheduled to come into force on 25 May 2018. This ePrivacy Regulation will, amongst other things, update the existing cookies and online marketing laws to bring them in line with the GDPR.
- Wider Territorial Scope – As well as applying to European-based organisations the GDPR will also apply to any company either offering goods or services to European residents or monitoring their behaviour even where such companies have no physical presence in the EU. This will obviously extend to UK companies post-Brexit.
- Definition of Personal Data – What constitutes personal data is often a subject of much debate. The existing legislation has been added to by the courts and now the GDPR has expressly included location data and online identifiers such as IP addresses and cookies. It is also important to note that for the purposes of the GDPR hashed data is also personal data.
- Consent – The GDPR has only made some minor amendments to the definition of consent however they are significant. Under the GDPR consent must be freely given, specific, informed, unambiguous, distinguishable and easy to withdraw as well as specific to each processing activity. This will see the end of pre-ticked boxes and consent buried in privacy policies or contract terms.
- Express Contractual Requirements – The GDPR requires that all contracts between a data controller and a data processor must be in writing. In addition to this, there are various issues throughout the GDPR that will need to be included in both new and existing contracts such as audit rights and approval of sub-processors
- Data Protection Officers – Those organisations whose core business activities include large-scale regular and systematic monitoring of individuals, or large scale processing of sensitive personal data will be required to appoint a DPO. DPOs need to be data protection experts and they must be able to independently, so there are restrictions on who can and cannot fulfil the role.
- Breach Notification – Data processors must notify the relevant data controller of any breach without undue delay and data controllers must notify the ICO (and in certain circumstances the affected individuals) within 72 hours of becoming aware of the breach. Each notification must contain specified information, including details of the compromised data and the potential impact of the breach.
- Harsher Penalties – The maximum fine that the ICO can currently impose is £500 thousand per breach. Under the GDPR this increases to a maximum fine of €20 million or 4% of global turnover, whichever is the greater. There is also a lower tier of the greater of €10 million or 2% of global turnover. This is just the regulatory fines that can be issued, organisations will also need to consider liability between controllers and processors and the possibility of individuals also taking action against them.
How to Prepare
- Mapping & Audit – There is a general theme of accountability running throughout the GDPR which requires organisations to have a continuous understanding of their data flows. All organisations should conduct a data mapping exercise and an audit to ensure any unnecessary or outdated personal data is deleted. This is something that will need to be repeated at regular intervals.
- Policies – All policies, and privacy notices must be reviewed, updated or created to ensure compliance. This will be of particular significance for data processors.
- Consent – If you are relying on consent as a grounds for processing, it should be active and organisations should not rely on pre-ticked boxes. The consent must also relate specifically to the purposes of the processing. Where there are multiple processes, layered consent may be required.
- Evidencing Compliance – As I mentioned above, there is a general theme of accountability running through the GDPR so organisations will need to keep paper trails of decisions in respect of data processing activity and carrying out privacy impact assessments where required.
- Internal Breach Procedures – Given the new breach notification requirements, these breach procedures should be updated, including preparation of incident response plans.
- Training – All members of staff will need to be trained on the new rules, training will need to be ongoing and tailored to specific functions within the business.
- DPO – Organisations should check whether they are under a requirement to appoint a DPO and even where there isn’t a requirement for a DPO you should consider designating responsibility for data protection to a particular individual.
- Review – You should check existing supply chains, contracts and templates to establish what updates may be required in preparation for the GDPR. In addition to this, all insurance cover should be reviewed to check that coverage extends to data breaches.
This is very much a high-level overview of what to expect and how to prepare. Al organisations will be impacted by the GDPR in one way or another so it is important to not leave your preparation until the last minute.