Can you afford to ignore GDPR?

With less than one year until the new General Data Protection Regulation (GDPR) comes into effect, Ayla Karmali, of Goldstein Legal, explains the new regulations in plain English and runs through her step-by-step guide to help you ensure that your business is GDPR ready.

What is the GDPR?

The GDPR – General Data Protection Regulation – is an update to data protection laws across the EU.  The GDPR will come into effect on 25 May 2018 and will continue to apply even after “Brexit.”

Why is GDPR necessary?

Since the existing data protection laws came into effect in 1998, technology and the way we use data has been completely transformed.  The new regulations aim to address these changes and afford individuals a right to control how personal and sensitive data is exploited – used, maintained and shared.

Will the GDPR apply to my business?

Yes.  If you process or control the personal data of any individual, you will need to comply with the GDPR.  This includes the personal data of employees, customers, individuals you do business with and individuals you market to.

What happens if I’m not GDPR ready?

The Information Commissioner’s Office (ICO) currently oversees compliance of data protection laws in the UK.  Under the GDPR, its powers of investigation and enforcement will be strengthened.  The ICO can carry out audits of your business, obtain access to your premises, issue reprimands, impose a ban on your processing of data, order the suspension of data flow and impose fines.

If it is found that you have breached the GDPR, the new penalty can be up to 4% of your total annual turnover (or €20 million) depending on the severity of your breach.

For some businesses, a fine of this size could mean insolvency!

What are the key areas I need to be aware of?

The rights of your data subjects – the individuals

The GDPR affords individuals a number of key rights and / or has substantially strengthened certain existing rights:

A right to consent: In most cases, you must obtain an individual’s consent to collect their personal data or directly market to them.  The individual can withdraw its consent at any time and you must make it easy for them to do so.

A right to know: If you collect an individual’s data, you must tell them who you are; why you are collecting their data; what data you are collecting; who you will be sharing it with and why; how long you will retain it and what their rights are.

A right to access: Once you have an individual’s data, they have a right to ask what data of theirs you have and how you are processing it.

A right to change the record: An individual can ask you to update or rectify his/her information and you must comply. If you do not, you will need to explain why and inform them of their right to complain.  You must also tell them who else you disclosed their data to so they can update them.

A right to erasure – the right to be forgotten: In certain circumstances, an individual has a right to have their personal data erased.  You need to know in what circumstances you will have to comply with their request.  Similarly, an individual also has the right to ask you to stop processing his data.

A right to data portability: Individuals should be able to obtain and reuse their personal data as they wish across different services.  If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible.  If you refuse, you must be able to explain why.

Document your compliance

You will need to be able to show the ICO that you are complying with the GDPR.  You should do this by documenting your policies and maintaining records (i.e. what kinds of data you process; why you process it; how long you will retain it; how you are keeping the data safe and secure).

Report data breaches

Where there has been a data breach, you will need to notify the ICO and even the individual.

Your policy will need to define what would constitute a data breach in your organisation and have a clear reporting procedure.  The breach must be reported within 72 hours of it being discovered.

Keep data safe and secure

The key principles to highlight here are:

• Limit data collection: only collect data you need
• Limit processing of data to the purpose for which it was collected
• When processing sensitive data, carry out impact/risk assessments
• Share on a need to know basis: limit who sees the data
• Review your security and processing methods regularly
• Record your processing activities

Goldstein Legal’s Step-by-Step Guide to GDPR Compliance

Following systematic guidelines will help your business prepare for GDPR compliance.

1.Take the GDPR seriously – review the regulations and the ICO’s guidance on its website

2.Review your current data protection system and identify the gaps in view of the new regulations.

3.Review the personal data you hold, consider why you hold it and ensure you have obtained the right consent to process and use it.

4.Review your current privacy notices and begin implementing the ICO’s Privacy Notices Code of Practice 

5.If you process children’s data, become familiar with the special protections in place for their data.

6.Consider what procedures you need in place to detect, report and investigate a data breach and how you will act if you suffer a data breach.

7.Consider whether you need external help to implement a specially created information management system.

8.Document your GDPR and information security policies starting now

9.Initiate GDPR and information security training for staff

10.Download Goldstein Legal’s handy GDPR Infographic to help you confirm that your business is GDPR ready.

If you need further support preparing for GDPR compliance, we can help.  Speak to one of Goldstein Legal’s expert commercial lawyers today.