New Data Protection Regulations – A Guide to GDPR
Some useful information regarding the new and upcoming Data Protection Law – GDPR (General Data Protection Regulation).
Overview of the GDPR – Effective from 25 May 2018.
Data Protection Principles – Personal data must be:
- processed lawfully, fairly and transparently
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date
- kept no longer than necessary
- processed with appropriate security.
Accountability Principle – There are new obligations to implement appropriate measures to ensure and demonstrate that you comply with the GDPR including undertaking and documenting privacy impact assessments. Some organisations will be required to appoint a Data Protection Officer. Organisations with more than 250 employees have additional internal record keeping obligations.
Lawful Basis of Processing – The lawful basis for processing personal data is more important under GDPR. The lawful processing conditions are:
- consent of the data subject (there is a greater emphasis on consent being freely given, specific, informed and unambiguous)
- necessary for the performance of a contract
- necessary for compliance with a legal obligation
- necessary to protect the vital interests of a data subject or other person
- necessary for the purposes of legitimate interests pursued by the controller.
Individuals’ Rights – The GDPR codifies existing rights of data subjects and creates new rights:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure or ‘right to be forgotten’
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling.
Fair Processing Information – data subjects must be provided with certain information when data is first collected probably through more detailed privacy notices.
Subject Access Requests – similar to existing rights but with the time to respond reduced to one month (with the ability to extend for complex requests) and the removal of the £10 fee.
Breach Notifications – the GDPR incorporates new obligations to notify data subjects and the ICO of certain data breaches within 72 hours of the breach.
Steps to Take to Comply with GDPR
1. Plan – Create a project team reporting to senior management team to oversee compliance to ensure that have a coordinated approach to prepare for May 2018.
2. Data Protection Officer – Consider if you are required to appoint a DPO or if it would be helpful to do so. Identify appropriate candidate with necessary authority, skills and experience.
3. Audit – Identify what categories of personal data you hold or process and consider as a starting point in relation to each category:
– why was the data collected and what is it used for?
– what will be the appropriate legal basis of processing under GDPR?
– if relying on consent consider whether way in which consent is obtained complies with GDPR.
– is any of the personal data passed to any third parties?
– is any of the personal data ever transferred outside the country?
4. Data Processor Agreements – Review agreements with third parties who process personal data on your behalf. In particular consider stronger breach notification requirements.
5. Privacy Impact Assessments – Start adopting a ‘privacy by design’ approach and consider privacy impact assessments in respect of existing processing of personal data and put in place process for considering and recording decisions in respect of future data processing plans.
6. Privacy Notices – Review existing notices and prepare to update or replace to make GDPR compliant. You will almost certainly need different notices to be issued to different data subjects.
7. Data Breaches – Establish procedures to detect, report and investigate personal data breaches.
8. Staff Awareness – consider updating policies and guidance and rolling out a training programme to bring staff uptodate with the changes in the law and how your organisation has responded.
How can we help?
If you have an enquiry or you would like to find out more about our services, why not contact us?