Is your business preparing for compliance with the GDPR deadline fast approaching?
The GDPR (General Data Protection Regulation) comes into force across the European Union on 25th May 2018. The Regulation dramatically increases the obligations and responsibilities of businesses which control or process data. The importance of GDPR cannot be overstated and it cannot be ignored by any business, whether large or small. Failure to prepare and ensure GDPR compliance now, may spell future woes for your business. You must comply with the new regulatory landscape or face administrative fines on a scale previously unforeseen of up to €20m or 4% of global annual turnover. Fines will be issued not by a court but by the Data Protection Commissioner (DPC) directly and the investigatory powers of the DPC will be dramatically increased. These are breath-taking fines, and for a smaller sized business these fines could represent a serious dent in profits, or, depending upon the size of the fine, have a terminal effect.
Who does GDPR apply to?
GDPR is binding on any size of organisation that is involved in controlling or processing the personal data of individuals in the EU regardless of the location of the company or the location of the data processing. The focus is on protecting the individual’s personal data.Personal data is defined broadly to cover any information that can be used to directly or indirectly identify a person.
The Regulation is applicable to data controllers and data processors. A data controller is any person or body which collects data and determines how that data is to be processed, for example an employer. Data processors are persons or bodies which process the data on behalf of the controller, for example a payroll company. A business may be both a data controller (in relation to its own employees’ personal data) and a data processor.
DPC Guidance to comply with the GDPR
The DPC has released a 12-step guide to assist businesses in preparing for these new obligations. Some of the steps include the following:
- It is imperative that you find out what personal data you hold and make an inventory of it. Analyse and be in a position to justify why you are storing the personal data, why and how it was originally gathered, how long you will retain it, how secure the date is and whether the data is to be shared with third parties and the basis for doing so. Having a paper trail demonstrating how data is held and processed will greatly assist you towards showing compliance with GDPR.
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional items that you will have to notify to customers such as the lawful basis for processing the relevant data, the period you intend to retain that data and the customer’s right to complain to the DPC if they think there is a problem with the way you are handling their data.
Business’s must have procedures in place which must cover all the rights individuals have under GDPR including the following:* The right to be informed* The right of access to data held* The right to have inaccuracies corrected* The right to have information erased* The right to object to direct marketing* The right to data portability* The right not to be subject to automated decision making
You must update your procedures and plan how you will handle Subject Access Requests to take account of the new rules which include not being able to charge for processing an access request and dealing with such requests within 1 month. If your organisation handles a large number of access requests, consider the logistical implications of having to deal with such requests.
You should review how you seek, record and manage consent and whether you need to make any changes. Existing consents should be refreshed if they don’t meet the GDPR standard. Customer consent to recording personal data must be “freely given, specific, informed and unambiguous”. A customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement; it cannot be inferred from silence, pre-ticked boxes or inactivity.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. The GDPR introduces a duty to report certain types of data breaches to the DPC within 72 hours.
- Certain data controllers will be required to appoint a Data Protection Officer (DPO) to ensure the data controller is acting in compliance with the requirements of the GDPR. You should check to see if you fall under this category and ensure that someone within your organisation, or an external party, can take responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively.
Given the increased sanctions which will be introduced by the GDPR, it is more important than ever for businesses to ensure that they are compliant with both existing data protection legislation and the GDPR. As the GDPR will become effective in just over 5 months, time is of the essence, preparatory steps must be taken now to ensure compliance.