Small Steps to GDPR
With the new General Data Protection Regulation (GDPR) implementation date just over a year away, it’s a good idea to start thinking about what it means for your business.
The new GDPR represents one of the biggest overhauls in data regulation to date, replacing the current data protection legislation – the Data Protection Act 1998 – with a new set of rules designed to strengthen and unify data protection for all within the EU. The ICO’s guidance states that the government have confirmed that the decision to leave the EU will not affect the commencement of the regulation.
Given the combination of the amount of new information to consider, combined with the slow trickle of guidance from the Article 29 Working Party, it’s understandable that both keeping abreast of the rules and guidance as it appears – and the logistics – finding the time, money, and resources to dedicate to implementing what will be needed appears at first sight to be overwhelming.
Taking small steps now, from reading up on the changes, to beginning to work towards the new practices and systems that we’ll be required to have in place in just over a year will ensure you’re on track to compliance.
The changes are fairly wide-ranging. The new rules will affect any firm that processes personal data, and along with strengthening some current rules – on accountability, for example – GDPR introduces new rights and obligations and tough sanctions for organisations who fail to comply. As such, existing practices, policies and procedures will need to be thoroughly examined and amended to ensure compliance with the new requirements.
To help firms take their first steps towards compliance, we’ve prepared this short run-down of the main changes:
There’s a new requirement that data processors must inform data controllers of a breach. You should therefore review all your contracts to ensure the processor has an obligation to report any data breach to you. It’s also best practice to set up reporting for “near misses”, so that you can learn together to prevent actual data breaches. We’ll discuss this further in our upcoming seminar
If a data controller shares inaccurate information with data processors, the data controller has a new obligation to pro-actively inform the data processor that the information was inaccurate. This could have wide-ranging consequences for our industry, both positive and negative, especially when you factor in credit reference agencies
Privacy notices need to be updated in line with the new requirements; again, we’ll cover this in more detail in our upcoming seminar
The rules around subject access requests are significantly changing; in most cases you will be unable to charge a fee (although there are some exceptions, you have 30 days to process the request and you must include certain pieces of information, such as your intended retention periods.
Interestingly, you need to have processes in place to identify and record the legitimate reason you have to process the data that you hold. This is a departure from current domestic legislation and will need to be worked into our policies and procedures. It must be considered how far you go with this obligation - You’ll at least need a clause covering customer data, perhaps one covering different classifications of customer data, and staff data. At the other extreme, perhaps you require a statement for each individual customer? Something to be considered.
There are new rules around gaining customer consent. For example, consent will be deemed improper should it be obtained from a pre-populated tick box. You need to consider how you will gain oversight of what your clients or partners are and have been doing to gain consent, as well reviewing the data you already have on file to ascertain whether the consent is still valid. This decision must be recorded.
A new emphasis is placed on audit trails so the firm can show its actions around specific accounts and decisions.
An updated obligation to inform the ICO within 72 hours where a data breach has occurred which might cause detriment to the data subject. Records must be kept of reasons for the decisions made.
A data protection officer is required to be in place and carries specific responsibilities
The GDPR requires you to implement a “privacy be design” policy whereby systems and processes are designed with data security and protection in mind from the outset; again, we will discuss this in more detail during our seminar
It’s the right time to start considering the impact of these rules on your organisation. There’s no better way than to join us for our seminar!
GDPR seminar - held in Central London on 26 May 2017 at etc.venues Marble Arch. £199pp lunch included. 9am to 3pm.
Contact us to register interest: