Data Protection – Prepare yourself for GDPR

  • Posted

Businesses with on-line presence, particularly with customers and users in the EU, need to pay much closer attention to compliance with the new, General Data Protection Regulation (GDPR) coming into force in May 2018. Even companies that do not expect to be on Information Commissioner’s (the regulator’s) radar, may well find that customers, business partners and investors may expect them to demonstrate their compliance.

Compliance requirement that need to be satisfied

Privacy policies need to updated. Additionally, GDPR raises a much broader compliance task in terms of privacy protection which all companies and organisations that collect or deal with personal data would need to prepare for. Many people today say that GDPR sets the golden standard for privacy protection globally and that everyone should seek to comply with it. As GDPR sets a high standard, meeting its requirements will go a long way towards compliance with the privacy laws of almost any other country.

Steps organisations need to take to prepare for GDPR

We set out below a brief introduction to the issue and how we can help your organisation to prepare to GDPR.

The Data Protection Act 1998 already incorporates many of the elements of GDPR, but the new legislation changes the emphasis of the regulatory regime, adds new layers of compliance, introduces a greater level of detail and, importantly, enforcement powers have been significantly ratcheted up with the threat of significant penalties that may be imposed where serious violations occur.

The GDPR introduces the concept of “data protection by design and by default”. This requires organisations to set up their processes, policies, systems and services around compliance requirements. It is an attempt to move away from ‘tick box’ compliance (such as having a standard privacy policy and some standard consent buttons on the website) to a more rigorous approach safeguarding privacy interests of consumers, patients, employees and other individuals. The concept of data protection by design includes the general requirement of data minimisation (processing personal data only as much as necessary) and systematic anonymisation and pseudonymisation (keeping the data in a coded form, insofar as reasonable in the circumstances). Naturally, this is more of a concern for organisations that deal with large volumes of personal data or whose activities are focused on collection, hosting or analysis of personal data – but it raises the bar for compliance across the board.

Impact Assessment and Record Keeping

The requirements to appoint a data protection compliance officer and to complete a formal processing impact assessment are imposed on organisations engaged in “high risk” activities or which process special categories of personal data (such as health records) or engage in significant profiling or monitoring of individuals.

In most cases, it is good practice to prepare an impact assessment (or similar document) even if an organisation is not under a legal obligation to do so. In any event, in order to comply with GDPR it is necessary to go through the processes of due diligence and records keeping including mapping the data flows, identifying the data security structures and defining access rights and authorisations etc. which basically comes down to carrying out something similar to a full processing impact assessment.

IT Security

This is one of the key operational requirements of the law. This applies not only to the technical security measures that an organisation has to put in place to secure personal data it stores but also the organisational measures – access rights, access controls, authorisation levels, dissemination and access policies, monitoring, audits, training of staff etc.

Data Processing agreements

These are required in any case where an organisation allows another organisation to access, store or use personal data records. Cloud computing providers, IT system services and support providers, data analysis services and other third parties that may have access to your consumer or employee data would have to sign data processing agreements that comply with the requirements of GDPR.

Brexit

Insofar as data protection is concerned, the UK government already announced new UK legislation that would incorporate the GDPR principles into domestic law and that would replace GDPR for the UK after it leaves the EU. It is important for the UK that after leaving the EU it would be approved by the EU Commission as a country that provides an adequate level of protection to privacy interest so that Brexit will not undermine the free flow of data between the UK and the EU.

How we can help

Many of the compliance tasks would be undertaken primarily by your organisation internally. Carrying out the due diligence, documenting processes and systems, putting in place control systems, authorisation levels etc. and writing and compiling policy papers and records as required by the legislation are tasks that will require access to operational personnel information and would be time consuming.

We can assist with:

  • providing guidance;
  • reviewing and commenting on operational documentation such as data retention policies, IT security policies, data sharing and access rights policies and records keeping files;
  • drafting or amending legal documentation such as the privacy policy statements, standard data processing agreements and data export agreements;
  • communicating with regulators (for example, if there is an audit, investigation or a complaint); and
  • addressing and responding to data subject requests and handling complaints.