The Information Commissioner, Elizabeth Denham has warned organisations that they must begin to prepare for the General Data Protection Regulation (GDPR) stating that it is “the biggest change to data protection law for a generation”. Ms Denham explained that there are commercial benefits to dealing with data protection in the right way and stressed that it is important to ensure compliance by the implementation date of 25th May 2018. She stated: “If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.”
The ICO has issued an updated data protection toolkit for SMEs which helps organisations assess readiness for GDPR through a checklist. It has also updated its guidance on how to prepare for GDPR revising the 12 steps it is advising organisations to take now:
- Awareness: Organisations should be ensuring that decision makers in their organisation understand that GDPR is coming into force and the impact it is likely to have including potential resource implications
- Information you hold: The personal data held by organisations should be documented and it may be that organisations need to conduct and information audit. This should help with the requirement to maintain records of processing activities and fulfil the obligation to communicate with other organisations that data has been shared with when data changes. It should also help with the requirement to be able demonstrate compliance with the data protection principles.
- Communicating privacy information: Privacy notices need to be reviewed. More information will need to be provided on a privacy notice.
- Individual’s rights: Procedures should be checked to ensure that all individuals’ rights will be managed. Individuals have enhanced rights under GDPR including a new right to data portability.
- Subject access requests: Organisations no longer have the option to charge a fee further to a subject access request. The turnaround time has reduced from 40 days to a month. More information will need to be provided in response to a request and there should be an assessment to identify whether responses can be handled electronically.
- Lawful basis for processing personal data: This should be documented and shown in a privacy notice and provided in response to any subject access re quest.
Individuals’ rights vary depending upon the basis for processing.
- Consent: Where consent is the basis for processing, a review should be undertaken to determine whether changes need to be made. The ICO has recently issued guidance on consent. Consent must be freely given, specific, information and unambiguous. It needs to be separate from other terms and conditions and consent can be withdrawn. Any processing based upon consent will need to meet GDPR standards post 25th May 2018.
- Children: Where personal information is obtained about children, systems need to be in place to obtain parental or guardian consent.
- Data breaches: The ICO expects organisations to have incident management / data breach plans in place already. GDPR introduces mandatory reporting of data breaches within 72 hours to the supervisory authority (ICO) and, in some cases, to affected individuals.
- Data Protection by Design and Data Protection Impact Assessments: Privacy by Design becomes a legal requirement under GDPR and Data Protection Impact Assessments are mandatory in some instances.
- Data Protection Officers: Organisations need to formally assess whether they need to designate a data protection officer either internally or externally. The requirement covers organisations that:
- Are a public authority
- Carry out regular and systematic monitoring of individuals on a large scale
- Carry out large scale processing of special categories of data eg health data or criminal convictions
- International: Where organisations operate in more than one member state, it needs to determine a lead data protection supervisory authority and document this.
Helen Lord, Director at Regulatory Strategies
