GDPR - The Latest Updates
You only have around 7 months remaining until GDPR comes into force!
Firms are now creating the first draft of the multitude of policies and procedures required to ensure compliance with the new standards, these include:
A new data protection policy detailing your data mapping exercise, legal basis for processing data (getting this element right can save you significant resource down the line), the rights which apply to individuals based on the legal basis for processing, security arrangements, supplier management, DPIA’s, privacy by design, breach reporting and details of your DPO including role and responsibility or justifying why you do not require a DPO.
A process for dealing with subject access requests including instances where they may be considered complex.
A process for dealing with requests for data to be erased including when the right does not apply.
A process for dealing with requests for rectification.
A process for dealing with requests for restriction.
A process for dealing with objections.
A process for dealing with portability requests.
A process for dealing with requests in relation to automated decision making and/or profiling.
A breach reporting process.
DPIA template and factor its use into your change management process.
Quite an extensive list!
Firms have also started drafting the new privacy notices or fair processing notices which need to be given to data subjects, including members of staff, as of May next year. Again, there are a few versions you need to create which should be used at different times.
Whilst many firms will already have begun the journey towards ensuring compliance with the new rules, it is important to keep the momentum going. There is much talk across all sectors about the ‘fear factor’, and it is important that this shouldn’t lead to firms burying their head in the sand and hoping it will go away. Whereas it is vital to bear in mind that the new rules bring with them a substantial increase in fines available to the regulator - €20 million, or 4% of annual turnover, whichever is greater – it is also worth considering the benefits that the changes can bring to business.
The new responsibilities bring an updated focus on the rights of the individual in the digital age – and onerous though this may seem at the outset, regulation that specifically considers the recent explosion of technology is long overdue. The new rules will change how data can be collected, stored and used. Whilst this might seem arduous to undertake, this is also a good opportunity to build more robust processes, policies and systems, making the changes work for your business.
We are in the process of creating the documentation mentioned in this article for a range of firms, if you would like assistance all you need to do is Contact Us. To help clients we are offering a 50% discount on each document created during the month of November!
Don’t forget about Elizabeth Denham’s reminder that non-compliance leaves an organisation open to enforcement action that ‘can damage both reputation and bank balance’, the impetus to prepare this material is therefore clearly a commercial advantage. So what can you do between now and May 2018?
Information is available via updates through the ICO;
Updated guidance on the definition of consent is expected soon, and the ICO have recently updated their 12 steps document;
In addition, we have produced a series of articles aimed at keeping you updated with the latest news and information on our Compliance Insights page.