Gullands' Guide to General Data Protection Regulation (GDPR)
Follow our step by step guide to make sure you and your business are ready for the introduction of new legislation on GDPR which comes into force on 25 May 2018.
What is GDPR?
GDPR is a new piece of EU legislation which will apply to all European businesses. It replaces the Data Protective Directive and the UK’s Data Protection Act 1998.
It is anticipated that even after Britain leaves the EU, these new rules will still apply and replacement national legislation will be similar, given the Government wanting to put its commitment to data protection at the top of the agenda in this age of rapid technological advances.
What is GDPR for?
GDPR will impose greater obligations on businesses which handle data, so that individuals know what is happening to their information, what it is going to be used for and who will have access to it.
All data should be kept securely and not used in a way which is excessive or unfair.
Are all businesses affected by GDPR?
All businesses are affected, and should consider carrying out an audit now to establish (if not already known), what data they hold and where. They should then review their systems and procedures to check the extent of their compliance and non-compliance with the new legislation.
Small businesses will be impacted the most, as many are unaware of their legal obligations and the significant level of fines for non-compliance.
Businesses that use third-party contractors to handle customer data such as opt-out and marketing lists, store their databases, analyse customer data, track online behaviour or use, process payments and arrange deliveries will be impacted. These businesses will be directly liable to individuals if they mishandle data and significant fines may be imposed.
Where do I start?
Set yourself a goal now to consider the following steps and write a timetable to help you to deal with your approach to GDPR, counting down to 25 May 2018.
- Carry out an audit now to understand what data you hold and where, and identify all activity which is compliant and non-compliant.
- Review all contracts that are in place with business suppliers and customers. For example, a business will need to give its customers more information about the identity of third parties who handle their data and the protections they have in place.
- Carry out privacy impact assessments where applicable.
- Review and update Customer Relationship Management systems and take steps to deal with customer marketing preferences, so you can demonstrate why you have customer data.
- Review how your IT Systems are using an individual’s data.
- Review IT security to see if it can be improved further and reduce the amount of data held where it isn’t essential. You must know where all your business’ data is stored and ensure this is compliant with GDPR.
- Review which members of staff have access to individuals’ data and how necessary this is, as well as how it is being used in all departments of your business.
- All businesses need to take a more serious attitude to data protection and it would be a good idea to appoint a member of staff to have responsibility for compliance.
- Update staff guidance and training to include GDPR for all new and existing staff.
- Individuals can make a Subject Access Request and rules are due to change, so make sure you know how to deal with these.
- Have a plan in place for dealing with reporting data breaches.
- GDPR should be discussed at board room level. With fines of 2-4% of global turnover or €10m-€20m if greater, per breach, we can guarantee this is something they will be keen to discuss.
We have teamed up with Matt Leipnik at Chalk Circle Ltd to answer some of the common questions on GDPR.
I get that GDPR is coming, but what in practical terms can I do now?
Undertake a gap analysis and look at what you are doing currently verses what you should be doing going forward (something my company can
Assign someone at a senior level responsibility for Data Protection in your company. Ideally this should not be someone in charge of or from your IT department.
Identify what data you have, where it is, why you use it and what you do with it, whether it’s personal or sensitive personal data or not and who has access to it and how long you keep or have to keep it for.
Clean your data up, only keep what is reasonable and only keep data that you will use. Data held just in case you might use it in the future will no longer be allowed.
Isn’t this just like the Millennium Bug all over again?
It is similar in that there is a deadline to meet and all businesses must review and address their position as required. Where it differs though is that this is not a one time exercise, it’s a continuous, iterative process and commercially there will be an expectation from potential customers, tender processes and contractual arrangements to be able to demonstrate adherence. So there is a compliance requirement on the one hand but also commercial drivers that mean doing nothing is not an option.
Do I have to appoint a Data Protection Officer (DPO)?
You will have to appoint a DPO if your company is a public authority or organisation that undertakes large scale monitoring or processing of sensitive personal data (Health data or Children’s data for example). You will also need to appoint a DPO if your organisation is involved in any profiling of individuals and their habits or preferences. Large scale does not have a full definition yet but examples have been given of processing of 5000 records and above. It is a good idea to appoint someone in a similar role even if you do not qualify to have to appoint a DPO formally.
Is a breach of GDPR just losing personal data?
Losing personal data is a breach of GDPR, however this is not the only condition to constitute a breach. Any failure to comply with the GDPR will constitute as a breach, so for example not having a defined Subject Access Request process would constitute as a breach.
Can I take care of GDPR on my own?
There are a number of things you can do to prepare for GDPR internally without even necessarily needing to understand the regulation.
However, GDPR and managing your Data Protection risk is an extension of managing the broader risks across your business and ties heavily into your IT and Security strategy long term. Using external experts to understand the ramifications properly and how it can be incorporated on a tailored basis into your business is important, more cost effective and faster than doing it yourself. Please contact us if you’d like more information about our GDPR Readiness services.
You will also need to work with a solicitor (such as Gullands) to review the legal processing basis you will look to use, as well as to update, terms and conditions, privacy policies and employee and supplier contracts.
Does GDPR just apply to electronic information?
No. GDPR applies to all personal data held by an organisation. This includes paper based files and storage and importantly CCTV images. There are some big changes around use of CCTV images which you should familiarise yourself with.
What about deleting information on an archived backup?
This does depend on how reasonable it is to recover the backup, restore the data and delete the information. If it is uneconomical to perform the activity i.e. the back up is on tape, in storage at a secure warehouse and it would need to be retrieved, couriered, re-introduced, recovered and restored and the cost to do this was thousands of pounds, then you would not be expected to delete the information. However, you cannot simply say it’s not possible because you’ve not looked into it or don’t feel like doing it. You have to be able to demonstrate and evidence you have considered this and that the outcome is that it’s not possible and document the reasons why.
This is just European thing and doesn’t affect us due to Brexit?
The GDPR applies to any business globally processing the personal information of a living person who is residing in the EU or an EU Citizen. It comes into effect May 2018 when we will still be part of Europe, so will apply – there is no escaping it
It’s being adopted into new legislation that effectively mirrors GDPR into UK law with some additional amendments and changes. The draft bill includes prison sentences relating to some aspects of failure to comply, which brings it in line with other Director responsibilities like Health & Safety.
Matt Leipnik can be contacted at firstname.lastname@example.org