On 25 May 2018 the GDPR comes into effect bringing about the biggest change to data protection laws in over 20 years.
So significant are the changes introduced by the new law that organisations have been given a ‘two year lead-in period’ to ensure that they have sufficient time to bring their processes and systems in line with the new requirements before the 2018 deadline.
With increased media coverage driven by the threat of a headline-grabbing €20m cap on fines, awareness that there is change on the horizon is growing. However, many organisations remain unclear as to what action they need to take, or have underestimated the extent of the work required to update their compliance strategies. Others have put their plans on hold in light of the Brexit vote. With less than a year to go, and clear confirmation that the GDPR will apply regardless of Brexit, organisations are starting to find themselves on the back foot.
The Compliance Step Plan below is designed to assist those who want to know what practical steps they should be taking over the next year to ensure they are ready for the GDPR.
- Pick you project team: the work needed to ensure compliance with the GDPR is onerous, time consuming and requires knowledge of every part of the business so try not to put all the responsibility on one person. Ideally your project team should include representatives from marketing, HR, customer services and IT.
- Audit your data: to achieve compliance you need to know what data you hold, where it comes from, what you do with it, where you keep it, who you share it with and what happens to it when it is no longer needed.
- Update your fair processing notices: whether you refer to them as FPNs, privacy policies, data protection statements or something else entirely, the information that you give to individuals when you collect their data will need to be updated to meet the new information standards in the GDPR.
- Review your consent mechanisms: under the GDPR you must meet a higher standard of consent and record how and when consent was obtained, all of which will require some updating to your current systems. Think about whether you actually need to get consent for a particular processing activity at all; remember that there are plenty of other legal grounds for processing such as contractual necessity and legitimate interests which you may be better off relying on instead.
- Streamline your SAR process: the GDPR reduces the time for providing a response to a Subject Access Request from 40 days to one month (and abolishes the £10 fee).
- Don’t forget the new rights: individuals have new rights under the GDPR, specifically the right to be forgotten and the right to data portability. You need to ensure you understand what these rights involve and how you will comply with them.
- Record your processing: from May 2018 you will no longer have to register with the ICO, but you must keep a written record of your processing activities, security measures and data retention practices instead.
- Review your contracts: if you appoint someone to undertake data processing on your behalf (e.g. outsourcing payroll) you will need to have written contracts in place containing certain prescribed clauses. Bear in mind that there are specific requirements around international data transfer if your data processor is based, or uses servers located, outside of the EEA.
- Appoint a Data Protection Officer: for many organisations this will be a mandatory requirement under the GDPR.
- Update your breach procedures: from May 2018 mandatory breach reporting will begin. Most breaches must be notified to the ICO within 72 hours and you must keep a full internal breach register.
- Be designed to comply: the GDPR introduces the concept of data protection by design. You need to ensure you are familiar with the concept and understand what it means for your business in practice.
- Train your staff: staff awareness is absolutely crucial to compliance. Different staff members will require different training depending upon their role and responsibilities, but all staff will require some basic awareness training around the GDPR at the very least.