The new GDPR is getting plenty of press recently. From 2018, it will be applicable to any company that processes and stores personal data, irrespective of size. However, I think it would be a fair statement to suggest that many organisations are still very much unprepared, and in need of transparent legal services to help with their GDPR preparations.
Starting next year, companies could incur significant fines for failing to comply (up to €20 million or 4% of global annual turnover, whichever is greater). On top of this, they could face negative publicity and litigation.
The main focus for organisations should be implementing processes to meet compliance and avoid these penalties. The Data Protection Commissioner (DPC) office has outlined nine key steps that organisations should focus on in the lead up to GDPR coming into effect.
Preparing for GDPR to come into force
Becoming aware of your obligations under the new regulations is the first step. Larger, more established organisations which have not already implemented processes will need to start as soon as possible to be compliant in advance of the deadline.
The GDPR will require organisations to keep an inventory on how personal data is stored under the following criteria:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it in terms of encryption and accessibility?
- Did you ever share it with third parties?
The accountability principle puts an onus on organisations to demonstrate compliance.
The regulation will come into effect from the 25th May 2018, less than a year away. Any established organisations which still hold a large portion of data in hardcopy format could be storing personal data in a manner which could run afoul of the GDPR.
Communicating with Service Users
Organisations should review their current setup and identify any gaps that may exist between data collection and data processing. Any gaps should be addressed by using the criteria as set out above.
Prior to processing data, companies must notify their customers of the reasons and the legal basis for their data being processed. These notices must also be delivered in simple language, not legal jargon!
Respecting Personal Privacy Rights
You should review your internal procedures to ensure they cover an individual’s personal rights. This includes the deletion of personal data and provision of data in electronic format.
Rights for individuals under the GDPR include:
- Subject Access Requests
- To have inaccuracies corrected
- To have information erased
- To object to direct marketing
- To have information erased
- Data portability
Essentially, individuals have the same rights under the DPA, but their rights will be enhanced under the GDPR. However, if your organisation is already compliant under the current DPA, the implementation of the new GDPR will be less cumbersome.
Complying with Access Request Timeframes
Organisations now need to comply with access requests within a month, and cannot charge for processing. While there are provisions within the GDPR to refuse requests deemed unfounded and excessive, organisations must have clear and defined procedures in place when dealing with such refusals.
Organisations will also have to provide additional information on request such as retention periods, and the rights to have inaccurate information deleted. Organisations could save time and resources by developing systems that allow data subjects to access personal information online. This is particularly the case for older organisations, which may still hold many records in hardcopy format and therefore find it difficult to process requests quickly.
Identifying the Legal Basis for Processing Data
When processing data, organisations must identify and document the legal basis for processing that data. This is particularly salient when organisations rely exclusively on consent as a justification to process data.
Under the GDPR, individuals will have a stronger right to have their data deleted where customer consent is the only justification for processing. You must explain your legal basis for processing personal data in privacy notices and on answering subject access requests.
For government departments and agencies, there has been a significant reduction in the number of legal bases they may rely on when processing data. It will no longer be possible to cite legitimate interests. Instead, it will be necessary to have specific legislative provisions underpinning one or more of the methods organisations use to process data.
All organisations need to carefully consider how much personal data they gather, and why. If any categories can be discontinued, do so. For the data that remains, consider whether it needs to be kept in its raw format, and how quickly you can begin the process of anonymisation and pseudonymisation.
Obtaining Customer Consent as Grounds to Process Personal Data
Organisations should review how they seek, obtain and record consent, and whether they need to make any changes. Consent must be ‘freely given, specific, informed and unambiguous’ to meet the standards required by the GDPR. If it does not, then you should amend your consent mechanisms or find an alternative legal basis.
Note that consent has to be verifiable, individuals must be informed in advance of their right to withdraw consent, and individuals generally have stronger rights where you rely on consent to process their data. The GDPR is clear that controllers must be able to demonstrate that consent was given, so organisations should therefore review the systems in place for recording consent to ensure an effective audit trail.
Processing Children’s Data
Organisations involved in the processing of data from underage subjects must ensure they have adequate systems in place to verify individual ages and gather consent from guardians.
The GDPR introduces special protections for children’s data, particularly in the context of social media and commercial online services. The state will define the age up to which an organisation must obtain consent from a guardian before processing a child’s data.
It should be noted that consent needs to be verifiable, and therefore communicated to your underage customers in language they can understand.
Reporting Data Breaches
Some organisations are already required to notify the DPC when they incur a personal data breach. However, the GDPR will bring in mandatory breach notifications, which will be new to many organisations.
All breaches must be reported to the DPC, typically within 72 hours, unless the data was anonymised or encrypted. In practice, this will lead to most data breaches being reported. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. It is worth noting that a failure to report a breach when required to do so could result in a fine, as well as incurring a fine for the breach itself.
Now is the time to assess the types of data you hold and document which ones which fall within the notification requirement in the event of a breach. Larger organisations will need to develop policies for managing data breaches both at central or local level.
A Data Protection Impact Assessment (DPIA) is the process of systematically considering the potential impact a project or initiative may have on the privacy of individuals. This allows organisations to identify and mitigate potential privacy issues before they arise. Where the DPIA indicates that certain identified risks cannot be fully mitigated, data controllers will be required to consult the DPC before engaging in the process.
Ultimately, such an assessment may prove invaluable in determining the viability of future projects. Organisations must start to assess whether future projects will require a DPIA, and consider:
- Who will do it?
- Who else needs to be involved?
- Will the process be run centrally or locally?
What we do
Johnson Hana International is helping organisation of all sizes with their GDPR preparations. We offer a full suite of flexible legal services to deliver compliance with GDPR, such as managing and performing a desk top study, gap analysis, issuance of recommendations and implementation plan.
JHI can also bolster clients’ internal GDPR teams in relation to legislative interpretation, staff training and consultancy advice in relation to practical implementation of legislation.
We even perform post implementation reviews to provide a greater level of assurance. By offering totally transparent legal services, we aim to transform the legal sector’s reputation. Don’t fear the GDPR – JHI can support you every step of the way.