The biggest shake-up in data protection and privacy rules for decades is on the horizon, with the arrival of the new General Data Protection Regulation, or GDPR, in force from 25 May 2018.
The new GDPR will apply to all organisations operating in the EEA. Organisations that don't comply will face hefty penalties for the misuse of data, which are now as much as 2-4% of global annual turnover depending on the severity of the breach.
The new rules are designed to harmonise EU data protection laws and offer increased protection and clarity around the processing of personal data for individuals. In essence, the new rules aim to ensure that:
- Personal data is only processed where there is a legitimate basis for doing so and any processing of personal data is 'fair and lawful'.
- Organisations are open about their reasons for obtaining personal data.
- Personal data is kept up-to-date and accurate and not kept for longer than is necessary.
- Individuals have the right to see personal data held and object to its processing.
- Organisations have adequate security in place to prevent a data breach.
One immediate question of course, is whether the Brexit vote will make these rules obsolete. The UK Government has, however, confirmed that UK organisations must comply up to the point of exit. Post-Brexit, the rules will also continue to be relevant to any organisation offering goods or services into the EU, who will have to comply.
What will change?
The GDPR regulation will bring changes to the way all organisations hold and process personal data. The scale of change required in both process and behaviour within organisations will be extensive and will require significant advance planning and communication.
The key areas of change for all organisations will be:
- A requirement on organisations to demonstrate how they are complying with the GDPR, which will require organisations to create and maintain documentary evidence of their data processing activities amongst other things.
- A higher standard when relying on consent to process personal data, requiring unambiguous consent and clear affirmative action from individuals.
- Rights to more information about how an individual's personal data will be used and greater access to the personal data that is held.
- A Data Protection Officer with sufficient data protection and privacy expertise and experience must be appointed if an organisation is a public authority, or regularly monitors individuals or processes sensitive personal data on a large scale.
- Data processors to be held liable for breaches of the GDPR in their own right.
- An increase in the maximum fine for breaching the rules of up to €20 million or 4% of total global turnover.
What should organisations do to prepare?
There is a lot for organisations to understand and do, so it is important to prioritise the work taking a risk based approach. How risky the processing activities undertaken are will be determined by the type of personal data processed and the purposes for which it is processed.
Here are our top ten tips to help organisations looking to prepare for May 2018:
- Review all data protection policies, procedures and practices across your organisation to assess compliance with the current law and ensure that the transition to the GDPR is as smooth as possible;
- Carry out a data mapping exercise to identify the categories of personal data that your organisation is capturing and processing and to identify all data flows;
- Review all the types of processing that your organisation carries out and ensure that these can be justified by one of the processing conditions;
- If consent is relied on to process personal data, review all relevant consent wording to ensure that it adequately explains what processing will be carried out and that the data subject's consent is validly obtained.
- Review all existing privacy notices and consider the changes that will be required to comply with the expanded requirements under the GDPR;
- Review your current procedures for dealing with requests from data subjects to exercise their rights. Consider how these will need to be amended, and what additional procedures will need to be put in place to ensure compliance;
- Check whether your existing IT systems are capable of enabling data deletion and rectification if individuals' rights are exercised. Ensure that new procurements take account of these requirements;
- Data Protection Impact Assessments will become compulsory under the GDPR where there is a 'high risk' for the rights of individuals. It is therefore a good idea to start looking now at your organisation's processes for carrying out these assessments;
- Review existing data breach management procedures and processes and think about what needs to be changed to ensure they allow for swift escalation of potential and actual data breaches; and
- Review current employee training on data protection and consider whether this is sufficient to enable employees to understand how they need to comply with the GDPR and quickly identify data breaches.
Compliance will bring an increased administrative burden; mandatory notification of breaches is just one example that will see organisations having to make sure that all their people are trained in how to recognise a data breach and how to escalate this appropriately. But, data protection compliance is essential if organisations want to avoid the severe sanctions, which could have a serious financial and reputational impact if ignored.
This article was originally published by the Glasgow Herald.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.