The GDPR will come into force on 25 May 2018 – regardless of Brexit – and the new regime will:
- Give individuals more rights over their data and the way it is used
- Impose more onerous obligations on businesses
- Introduce fines of up to €20 million (or 4% of global annual group turnover if this is larger) for failure to comply
Who does it apply to?
The GDPR will apply to any organisation that processes and holds the data of individuals who are inside the EU, even if the organisation itself is based outside the EU.
The UK is implementing a new Data Protection Act, which will ensure that the GDPR continues to apply to the UK, even after its departure from the EU.
Data subjects (the individual that the personal data relates to) will have the right to:
- Be informed
- Access their data (free of charge)
- Have their data rectified
- Have their data erased (the “Right to be forgotten”)
- Have the processing of their data restricted
- Data portability (copying or transferring data from one IT environment to another)
- Object to their data being processed
They also have rights related to automatic decision-making and profiling.
Data processors (the businesses who collect or use the data) will have to comply with all the above rights or risk being fined.
Obligations on Data Processors
Businesses who are Data Processors must:
- Have a lawful basis for processing data
There are 6 grounds which processors can rely on in order to lawfully process data, including obtaining the data subjects consent, or for the business’ “legitimate interests.”
- Implement “privacy by design” and “privacy by default”
The GDPR requires processors to ensure that privacy and data protection is considered early on in a project and is embedded throughout the lifespan of the project rather than just an afterthought.
- Check whether they need to appoint a “Data Protection Officer”
Businesses must appoint a Data Protection Officer if:
- they are a public authority;
- carry out large scale systematic monitoring of individuals, special categories of data or data relating to criminal convictions and offences.
- A Data Protection Officer must ensure the organisation remains compliant with the GDPR; keeping the business informed and advising where required.
- Consider whether to carry out a “Privacy Impact Assessment”
Privacy Impact Assessments should be used to identify and reduce the privacy risks the privacy risks of an organisation’s projects.
How to prepare for the GDPR
Businesses should review their systems and processes now so that they are compliant before the 25 May 2018.
The GDPR’s requirements are too numerous to summarise here, but businesses should ensure they can comply with the above obligations and consider whether they should appoint a Data Protection Officer.
Our experience so far:
At OTB Eveling, we have been working with clients to help them prepare for the changes under the GDPR. We have produced our own GDPR audit questionnaire to enable our clients to assess what their organisations need to do to comply with the GDPR. We have then helped them identify the practical steps they need to take as a consequence of that audit process.
We have provided in-house training to clients and their staff to prepare them for the new requirements; and we have also been helping our clients update their policies, contracts and governance documentation to ensure that they are ready.
Typically, in our experience, clients have needed to review and update (or implement) the following documents and policies:
- Board Memorandum on GDPR
- Data Protection Policy
- Data/IT Security Policy
- Data Retention Policy
- Data Processing clauses for third party contracts
- Data Processing Agreements for third parties
- Standard form Staff handbook/policies – GDPR solution
- Employment contract – recommended GDPR/Data protection wording
- Suggested Employee consent to processing mechanism
- General consent for processing
We continue to support existing and new clients with this process. If you need support or have any questions about how the GDPR will affect your own business, please contact Annelie Carver or Matt Huddleson.