\ Countdown To Being GDPR Ready
Feature: Page (1) of 1 - 06/07/17

Countdown To Being GDPR Ready

By Andrew Yule, Partner, Winckworth Sherwood


With little more than 12 months until the General Data Protection Regulation (GDPR) becomes law, there is a sense that the clock is now really ticking. The European authorities allowed a transitional period of two years between the announcement of the final version of the new rules and D-Day of 25 May 2018. This rather long lead-in time serves as a strong clue to businesses: the changes are significant and so need some thought and preparation to get compliant.

In the UK, the Information Commissioner's Office (ICO) has indicated that there will be no initial moratorium in terms of the regulator's enforcement of GDPR. At a recent conference held by the International Association of Privacy Professionals in London, the ICO's Steve Wood commented: "Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy." 



One of the significant changes to the law is the substantial increase in the level of fines that data protection authorities such as the ICO can levy, meaning that Wood's comment is bound to worry businesses as they navigate the road to compliance. However, it is inevitable that even the most well-resourced organisations will have to prioritise where budget, effort and resources are targeted. With so much in the way of guidance, articles and general noise about GDPR available, it is easy to quickly reach information overload on the topic of GDPR. In this article, we provide a few key tips to clarify matters.


By failing to prepare, you are preparing to fail

Trite though it may sound, Benjamin Franklin was on to something with this adage. Some businesses are already well into their plans in terms of GDPR compliance and others are yet to start. The key message is that although time is running out, it is still not too late to identify and tackle the problem issues that will prevent your business from meeting the GDPR test. Despite the ICO's stated strict position on compliance, GDPR uses a risk-based approach, unlike the Data Protection Act, and so will any enforcement action. If you have not yet begun your compliance programme, a good first step is to assess your current data processing activities (the phrase 'data mapping' is a common buzzword here). Identifying what personal data your organisation holds, where it comes from, why it is held, how long for and who it is shared with might sound like very basic questions but asking those questions across your business will provide an excellent framework to allow you to perform a gap analysis and determine what to tackle first. This can be done by department, function or on a system by system basis. Be sure to include details of where your systems speak to each other to get a full picture of your data flows. 

Show your workings out

A key theme with GDPR is that it isn't enough to comply - you must be able to show how you comply. Annual registration with the ICO will go but in its place data controllers will be expected to keep detailed records of their processing activities. Transparency and rigorous governance are crucial, in terms of showing individuals and the regulator that your business takes privacy seriously.

Consent is king

GDPR introduces a far stricter test for consent as the basis for data processing. Consent must be "freely-given, specific, informed and unambiguous of a person's wishes" indicated by "a statement or clear affirmative action" signifying that consent. Pre-ticked boxes will no longer be defensible, nor will burying information to assume an implied consent in the middle of a privacy policy.  If you have to rely on consent, it needs to be granular and related to each type of operation the individual is being asked to agree to. Consider setting up a privacy dashboard or similar widget to ease the burden of seeking and recording consents. This is particularly helpful as it must be as easy to withdraw consent as to give it.

It's the DPO don't you know

Establish early on whether your business must appoint a data protection officer (DPO). Many will already have a person with this title or perhaps Chief Privacy Officer, however GDPR will mandate the appointment of a DPO for some data controllers. This is the case for all public authorities, those who systematically monitor individuals on a large scale or those who process large quantities of sensitive personal data, such as health information. Guidance at European level suggests these thresholds are low and many will be obliged to appoint a DPO. The law sets out detailed requirements about the DPO's experience, qualities, responsibilities and some limited protections from dismissal, similar to whistleblowing rules. They have to report in at board level and need to be involved in all projects involving personal data from their outset. If you need a DPO and don't yet have one, this is a good time to recruit or find a suitable outsourced partner to help.

Systems at the ready

GDPR brings in enhanced rights for individuals to make subject access requests as well as require a data controller to stop processing or delete data in some circumstances. Do your systems enable you to action such requests without time-consuming manual workarounds? The nominal £10 fee for subject access requests will go and individuals will be entitled to a copy of the data you hold on them within one month, in a common electronic format. It is generally thought the number of SARs will increase so use technology to ease the burden for more routine requests. Data subjects will also have a new right to data portability meaning that if they change email provider for example the old provider can be obliged to transfer their data to the new supplier. 

Data protection by design and by default

The concepts of data protection by design and default are not new ones but with GDPR they become baked into the law. To implement data protection by design, privacy implications of any new or altered system or process must be considered up front and so become integral to the project rather than privacy being retrofitted as an afterthought. Whilst this can seem like another cumbersome compliance task, it avoids having to alter a system or its implementation after the event which inevitably causes disruption and ends up costing more. A well-documented data protection by design approach becomes part of the overall record keeping and governance requirements for GDPR, again making the burden somewhat easier. The approach goes hand in hand with data protection by default which can be neatly summarised by the phrase: if you don't need it why are you keeping it? By minimising the amount and types or personal data your business collects and uses, you will be compliant with GDPR and in short, there will be less to go wrong and less data to lose. This is important when reporting of more serious data breaches will become mandatory under GDPR, both to the regulator and affected individuals. 

Conclusion

The prospect of an increased compliance burden, stricter rules and fines of up to ?20,000,000 or 4% of global turnover is an unpalatable one for many organisations. Certainly, it's true to say that GDPR generally strengthens the rights of individuals and makes life harder for data controllers. But given the new rules are here to stay, even post-Brexit, they do afford an opportunity for agile, forward-thinking businesses to distinguish themselves as trusted guardians of personal data. When the first large fines are issued, this undoubtedly will be a more comfortable place to be.

Andrew Yule is a Partner at Winckworth Sherwood. He advises businesses and senior executives, working with clients across a range of sectors, including financial services, technology, retail and education - providing pragmatic and prompt day-to-day advice. 

He also has a great deal of experience helping clients to avoid or to defuse disputes and - where necessary - successfully running complex litigation.


Related Keywords:General Data Protection Regulation, GDPR, EU

Source:Digital Media Online. All Rights Reserved

Our Privacy Policy --- @ Copyright, 2015 Digital Media Online, All Rights Reserved

Webmaster
Privacy.