With just over 12 months to go until the General Data Protection Regulation (GDPR) comes into force, now is the time to make sure your organisation is preparing for the biggest overhaul of EU data protection laws for 20 years.
The GDPR introduces a number of key changes to data protection law:
• Consent - the requirements for consent are tightened so that ‘clear affirmative action’ will be required for consent to be established. Pre-ticked boxes will no longer be allowed.
• Transparency - organisations must provide more information to individuals at the point of data collection to explain how it will be used, the legal basis upon which it is being processed, and how long it will be retained.
• Lawful Processing - new rules on processing for new purposes. Public sector organisations will no longer be able to rely on the ‘legitimate interests’ condition.
• Access - the rules allowing individuals to access their personal data and to obtain information about how that data is being used are being strengthened. New rights will enable a right of erasure and a right for data portability.
• Privacy by design and default and privacy impact assessments - organisations are obliged to ‘hardwire’ privacy considerations into their day-to-day operations and projects.
• Breach notifications - there are express statutory obligations to notify privacy regulators and affected individuals in the event of a data privacy breach where there is risk of harm to individuals.
• Accountability - organisations must be able to demonstrate to privacy regulators that they are complying with the GDPR on an ongoing basis.
• Sanctions - the maximum fines that can be imposed for serious contraventions are €20m (or 4% of total worldwide turnover for businesses). Lesser contraventions also carry hefty fines.
What should I be doing?
The GDPR will require all organisations to review how they handle personal data. That includes internal policies and procedures, privacy notices, technology and contractual relationships.
Basic steps you can take now to help you prepare:
• Plan your approach and ensure you have sufficient resources;.
• Carry out an information audit to identify what personal data you hold, where you hold it, where it comes from and what you do with it;
• Review what data you hold and decide whether you still need it. If not, delete it;
• Ensure that any new technology is GDPR-compliant;
• Futureproof any contracts that you enter into that are expected to continue beyond May 2018.