Today marks the start of the 1 month countdown until the General Data Protection Regulation (GDPR) is effective across the European Union (EU).
As many of you are well aware, the GDPR comes into effect on 25 May 2018 and businesses established in the EU or marketing their products or services within the EU will, in almost all cases, be required to comply.
Many businesses have yet to take the initial steps towards seeking to comply with the GDPR. If you are one of those businesses, now might be a good time to start panicking! However, at Waterfront Solicitors LLP we have been assisting many of our clients with their GDPR compliance and, based on our experience to date, we have summarised some of the most likely steps you may need to take to prepare for the GDPR, including a list of the TOP FIVE documents that many businesses will need to put in place (or to update, if you have them already).
If you haven't already, you should get on with mapping out the different personal datasets you hold.
For most businesses these will include data relating to some or all of the following:
- customers/clients/users (if these are individuals);
- customer staff (if your customers are businesses);
- your own employees;
- staff of third party service providers and suppliers; and
- for data processors this will also include data processed on behalf of your customers/data controllers.
For each dataset you ought to consider:
- how the data is collected;
- what data is collected;
- what is the purpose for which the data is collected;
- where the data is held;
- who can access the data;
- how long will the business need (or be required) to keep the data; and
- whether the data is transferred elsewhere (e.g. to group companies or other third parties, or to jurisdictions outside the EU) during the course of your activities.
This process should help identify any gaps or non-compliance with GDPR principles, identify if there are any areas where the business needs to get consent from data subjects, help you decide on any internal policies and processes (such as data retention and deletion) and also provide the necessary information for your Privacy Notices.
AM I DATA PROCESSOR OR A DATA CONTROLLER?
A data controller determines the purposes for which and the way personal data is processed. A data processor is anyone who processes personal data on behalf of the data controller. Processing can include hosting, storing, analysing, or simply accessing personal data.
For each dataset that is shared between you and another party, you should consider whether or not you are a Data Processor or a Data Controller (as defined in the GDPR). It is crucial to make this determination, especially in situations such as a data breach where it will be necessary to determine who has data protection responsibility. It will also inform the decision about which of the top 5 GDPR compliance docs you will need, and how to draft them.
TOP 5 GDPR COMPLIANCE DOCS
Below we have listed, in no particular order, the documents we most often need write or update for our clients to help them comply with GDPR.
You will need to work out the best way of communicating your Privacy Notice to the relevant data subjects – often this is done by publishing the notice on your website.
2. Employee Privacy Notice
Similar to the more general Privacy Notice for business contacts, described above, employers have an obligation under the GDPR to provide information to their staff about the processing of their personal information. One way of fulfilling this is to circulate an Employee Privacy Notice (i.e. a notice directed to your employees disclosing how you process their data). This could form part of your Staff Handbook.
3. Data Processing Agreements
The GDPR requires that every Data Controller to Data Processor relationship be governed by a written agreement that includes a number of specific provisions. This document is usually referred to as a Data Processing Agreement (or sometimes an Addendum to an existing services or other agreement). Alternatively the required provisions can be included as a clause or schedule in an existing agreement that governs the broader services to be provided by a data processor to a data controller.
This means that if you process personal information on behalf of customers as a data processor, your customer agreements should be updated to include GDPR compliant Data Processor wording. As mentioned above, this can be included in your standard terms and/or executed as an addendum to an existing contract (for existing customers), or even executed as a totally standalone document – it should be put in place with all existing customers, and for new customers going forward.
Similarly, where you work with downstream processors, such as suppliers to your business who process personal data, your subcontractors (e.g. developers who have access to the personal data within your database) and any online service providers on which you store personal data (e.g. hosting service provider, online CRM, payroll or email marketing system), you need to ensure that their terms include the appropriate data processing wording. In some cases this will be simply clicking a few boxes on your supplier's website to agree to their updated terms, with others (e.g. individual sub-contractors) you may need to put in place a more formal data processor agreement or an addendum to an existing agreement.
4. Privacy Impact Assessments
If you make any significant change to your data processing arrangements – particularly if you start using a new technology or you are making a change to your own technology – under the GDPR you will be required to conduct a "Privacy Impact Assessment" (PIA) – i.e. writing down any privacy and data protection risks and how you are addressing them. The PIA takes you through the steps of understanding the processing that you do and addressing any data protection requirements, just in a very comprehensive and methodical way, requiring each step to be documented. This can be quite useful as it should ensure that there is no stone left unturned!
5. Internal Data Protection Policy
It is important that all staff who handle personal information understand the fundamental principles and the practical requirements for complying with data protection rules. It is also important that staff members are able to identify breaches or potential breaches of data protection law, and know how to respond appropriately. You may to need update your current policy in line with the GDPR or put one in place if you don't currently have one.
WHAT SHOULD YOU DO IF YOU HAVEN'T STARTED YOUR COMPLIANCE PROJECT YET?
Don't panic! Waterfront can work with you to fast-track your GDPR compliance...
With most clients we go through the following process:
- we ask the client to complete a very high level questionnaire about their data processes;
- we have an initial call to gain an understanding in of their data processes and to identify any documents they might need to be drafted or updated;
- we either amend existing drafts, or send the client a selection of skeleton documents for them to populate with the required information; and
- one of our data protection experts will then work with the key stakeholders to draft the documents and work through any specific questions about the data processes as they arise.
By the time the documents are completed, the client has a much better understanding of any additional actions it needs to take to comply with the GDPR, where it needs to obtain consent (opt-ins) or offer the right to object (opt-outs), and what guidance any staff might need to ensure that they understand the organisation's obligations.
Putting these documents in place won't get around the requirement for an organisation to understand its data processes, nor will it save you from needing to decide what policies and procedures are appropriate for your business... however, our clients have found that working with one of our data protection experts in this way can quickly shed light on any areas that require further attention.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.