GDPR - Practical steps to get ready
The GDPR’s main obligations are set to apply to organisations located anywhere in the world- Read this guidance from Sherrards Solicitors on how to get prepared.
"The new regulation is likely to remain a part of English law regardless of Brexit and day one compliance is required across Europe and the UK... The GDPR has effect extra-jurisdictionally - if you want to trade in Europe, you must demonstrate that you have equivalent data protection laws in place."
Géradline Fabre, Partner, Sherrards Solicitors
On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protecting Directive.
Why are the laws changing?
The old Data Protection Act in England was introduced in 1998. To put this into perspective, in 1998, Facebook did not exist and most had not heard of cloud computing. Therefore, laws to protect personal data needed to be updated with some urgency.
What are the aims of GDPR?
The GDPR strengthens the rights of individuals over their personal data and seeks to unify data protection laws across Europe, regardless of where that data is processed. Furthermore, if your business is that of data processor, you will now have direct obligations to the regulator and to data subjects, in a way that has not previously been the case.
Will the UK be affected given plans to exit the EU?
The new regulation is likely to remain a part of English law regardless of Brexit and day one compliance is required across Europe and the UK.
12 Practical Steps from the UK Information Commissioner’s Office (ICO)
In May 2017, the UK's Information Commissioner (Elizabeth Denham) provided 12 steps businesses can take to get ready for the GDPR. With just six months to go, businesses must consider and start putting in place the required changes.
The time is now
Whether you work at a big or small company, you need to take note of this new legislation. The game changer for businesses is likely to relate to the way your operation will be run effectively going forward. In particular, you will need to assess the cost of compliance versus the risk (legal and financial) of non-compliance.
This will require the involvement of many teams, not only legal and IT, and the support of key company decision makers. It should be on the board level agenda of all businesses. A budget should also be set aside for compliance. The ICO has warned that given the scale of the changes needed, businesses would be wise not to leave it to the last minute.
Data mapping of the use of personal data is an essential starting point. You should assess and document what you hold, why and where you hold it, how long it is kept for and who you share it with. You should then compare this with what the new rules will allow you to do from May 2018 and beyond. Doing this will also help you to comply with the GDPR’s accountability principle which requires organisations to be able to demonstrate how they comply with the data protection principles, for example by having effective policies and procedures in place.
Form of consent from May 2018
There has been much discussion in the UK and Europe regarding what “consent” or “informed consent” actually means when it comes to an organisation holding and using personal data.
Under GPDR, the requirements relating to how you obtain and demonstrate consent to your use will be much tighter. As a consequence, you may need to re-consent your marketing database and update privacy notices in time for May 2018. GDPR requires the information in your privacy notice to be provided in concise, clear language.
Direct marketing will receive particular attention, specifically use of online behavioural marketing activities which is used to make advertising more relevant to customers. "Opt out" boxes will no longer be acceptable. Your IT systems will need to be updated to facilitate this as well.
The right to use and hold data
Careful analysis will be needed of why you are justified legally in holding and using each set of personal data for business purposes. Under GDPR, there are conditions that must be met to legally justify the processing of these data.
Changes to your IT systems
Your business will need to re-examine:
- Your website and how cookies are obtained. The rule is that you must be able to demonstrate consent to have acquired data if you are challenged by a consumer or a competitor
- Whether your systems are able to move, copy or transfer personal data between e.g. service providers. Your systems must be able to do this in a safe and secure way. This right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services
- Your systems must be able to access, rectify, restrict processing or erase easily and effectively data in order to comply with the "right to be forgotten" where this is requested
- Your system must address other rights of data subjects such as the right to object and the right not to be subject to automated decision making (including profiling).
You may also be interested to read...
Data protection by design and privacy impact assessments
The GDPR introduces a legal obligation to implement technical and organisational measures (designed measures) to show that you have considered and integrated data protection into your processing activities. The ICO is currently updating its current guidance on what they expect businesses to implement under GDPR. The current guidance is available on the ICO website as well as the ICO’s privacy impact assessment criteria. The changes to the way businesses process data will certainly have an impact on your corporate culture. This impact should not be looked.
Other steps which will need consideration in due course include:
(a) updating existing procedures for dealing with subject access requests
(b) implementation of procedures to comply with tighter rules if you deal with children
(c) a legal duty to report some data breaches within a short timescale
(d) the need to appoint a data protection officer for some businesses
(e) if you are part of an international group, which lead supervisory authority you will come under; and
(f) you will need to review how transfers of personal data outside the EEA will continue to be permitted.
Brexit and trading in Europe
It is anticipated in the UK that through the European Union (Withdrawal) Bill, all EU regulations will be transferred to the UK statute books when Britain leaves the EU in March 2019. Consequently, the GDPR, as well as the European Network & Information Security (NIS) Directive (also known as the Cyber Directive) (if already in place by then), will be maintained. What happens after that remains an important question!
The GDPR has effect extra-jurisdictionally (outside of the EU). If you want to trade in Europe, you must demonstrate that you have equivalent data protection laws in place. The GDPR’s main obligations are set to apply to businesses or organisations located anywhere in the world which process EU citizens' personal data in connection with their offer of goods or services, or their monitoring and profiling activities.
Need advice on GDPR in the UK?
For further information, please contact Geraldine Fabre, partner in the Corporate and Commercial team at Sherrards Solicitors LLP.