Issues relating to data privacy continue to hit the headlines on a regular basis. As such, the European Union have introduced the General Data Protection Regulation (GDPR), which is designed to replace the current Data Protection Directive (DPD). The new regulation will come into effect as of May 2018,. The pendulum is swinging, the alarm bell is ringing, yet many organisations continue to snooze. Of course, it may be the case that organisations are simply not sure how to proceed. Or perhaps, due to Britain’s recent decision to leave the EU, they feel that they will be exempt from the GDPR. This is not the case, as the GDPR has “extra-territorial” scope. What this means is that any organisation that stores/processes information belonging to EU citizens, will be subject to the GDPR, and the fines for non-compliance are too significant to ignore.
Below are some of the key points that organisations will need to consider when preparing for the GDPR:
Prove you are protecting sensitive data
Organisations will need to maintain relevant documents and create reports in order to prove that they are protecting sensitive data. They will also need to carry out Privacy Impact Assessments (PIAs) and adopt the “Privacy by Design” methodology by default.
Determine whether you need a Data Protection Officer (DPO)
Large organisations will likely need to employ a DPO. A DPO can be hired on a contract basis or an in-house DPO can be appointed. They will be required to oversee all areas of data protection, including the implementation of data protection policies, staff training, monitoring important system changes and providing the reports and documentation necessary for compliance.
An opt-in will be required
While organisations are not required to change the terms of existing DPA consents, any personal data that is obtained after the GDPR has come into effect will be subject to the new rules. These rules require that personal data is freely given, clear and concise. Additionally, some sort of affirmative action (opt-in) will be required. Silence or pre-ticked boxes are not considered to be an acceptable acknowledgement of consent. Also, there will need to be an easy way for data subjects to withdraw their consent.
New data subject rights for individuals
There are a number of new data subject rights which organisations must adhere to. The key rights include:
– The right to be forgotten
– The right of subject access
– The right to information
– The right to rectification
– The right to data portability
– The right to object
Data subjects will be protected from automated processing of their personal information. Also, organisations are required to respond to subject access requests in a timely manner.
Updated privacy policies
Organisations will be required to provide clear and detailed notices about how collected data will be processed. Data subjects will need to be informed about the new enhanced rights (as mentioned above). Existing privacy policies will need to be updated accordingly.
International transfers of personal data
Transfers of personal data to different parts of the world may undermine data protection. As such, the GDPR has introduced restrictions on the transfer of personal data to countries/organisations outside of the EU.
Reporting breaches
Under the GDPR, organisations must report any breach that may jeopardize the rights and freedoms of EU citizens. This may include the loss, alteration or unauthorised access/disclosure of personal data. Should such a breach occur, it must be reported to relevant authorities within 72 hours.
If you haven’t already done so, now is the time to get up to speed with the GDPR. Below is a basic checklist that can help you take those first steps towards compliance.
- Review your privacy notices and policies
- Ensure that you have a breach plan in place
- Ensure that you are lawfully processing personal data
- Put together a comprehensive training plan for your staff
- Closely monitor your processes and procedures
- Appoint a DPO where required
- If you are a processor, review your existing contracts and consider what changes need to be made
- If you are transferring data outside of the EU, ensure that you have legitimate basis for doing so
- Invest in some commercial auditing software that is capable of providing reports and real-time alerts about changes to important files, folders and user accounts