The General Data Protection Regulation (GDPR) will apply from 25 May 2018 across all European Union markets. This includes the UK, despite its plans to leave the European Union.
If your business is not in the EU, you will still have to comply with the regulation if you collect, share and use personal data of EU citizens. While some similarities exist with the current UK Data Protection Act 1998 (DPA), the GDPR will:
- introduce several new and different requirements for most businesses
- give individuals more control over their personal information
- apply to companies outside the EU that process personal data of EU citizens
When the General Data Protection Regulation comes into force, you must fully comply with the GDPR or face significant penalties (including potential fines of up to a maximum of €20 million or 4 per cent of global turnover).
Here, we summarise the steps you should take to prepare for the changes ahead of May 2018 deadline and beyond.
1. Carry out an information audit
An information audit can help you identify areas that could cause compliance problems under the GDPR. It's important to look at what information you collect, store or process and determine:
- why you are processing it
- how did you get it
- what is the purpose of processing
- how long do you plan to keep it
- how secure is it
- who you share it with, or might share it with, and how
An inventory of all personal data you hold will help you comply with the GDPR's accountability principle, which requires organisations to demonstrate how they comply with the data protection principles when carryout out their business.
2. Determine the legal basis for processing personal data
For processing to be lawful under the GDPR, you will need to identify a legal basis before you can process personal data. You will also need to document it accordingly.
Under the DPA, legal basis are often referred to as 'conditions for processing'. However, under the GDPR, legal basis carry greater practical implications, due to its effect on individuals' rights. For example, if you rely on someone's consent to process their data, they will generally have stronger rights, for example to have their data deleted.
There are six legal basis for processing data under the GDPR, including:
- consent of the individual
- contractual necessity
- compliance with legal obligations
- vital interests of the data subjects
- public interest
- legitimate interests
See more on the GDPR provisions relating to lawful processing.
3. Review your use of consent
The GDPR sets a high standard for consent. Like the DPA, it has references to both 'consent' and 'explicit consent'. Both forms of consent under GDPR have to be:
- freely given
- an unambiguous indication of the individual’s wishes
Under GDPR, consent also requires some form of clear affirmative action. This means that you cannot presume consent from silence, pre-ticked boxes or inactivity.
You will have to be able to demonstrate that consent has been given. This generally means that you will have to keep some form of record of how and when you have sought and received consent.
If you rely on individual's consent to process their data, take steps to ensure that your processes meet the enhanced standards needed under the GDPR. Otherwise, you may want to find alternative to consent.
See more in the Information Commissioner's Office (ICO) draft GDPR consent guidance.
4. Review and update your privacy notices and policies
Under GDPR, you will have to provide privacy information in clear and plain language. Your policies should be transparent and easily accessible. You will also have to include in your privacy notices certain additional information, such as:
- the legal basis for processing the data
- data retention periods
- rights of individuals to complain about the manner in which you handle their data
- whether data will be subject to automated decision-making
Find out more in the ICO's privacy notices code of practice.
5. Keep in mind individuals' rights
The GDPR introduces greater rights for data subjects. You should check your procedures and systems to ensure they align to the new or enhanced rights under the General Data Protection Regulation, including:
- subject access right (SAR)
- right to have inaccuracies corrected
- right to have information erased
- right to prevent direct marketing
- right to prevent automated decision-marking and profiling
- right to data portability
You should prepare for data subjects to exercise their rights and put in place procedures that will enable you to deal with possible scenarios, eg someone asking you to delete their personal data, or provide their data electronically or in commonly used formats.
See more on individuals' rights under the GDPR.
6. Prepare for new rules and timescales for SAR
The rules for dealing with subject access requests will change under the General Data Protection Regulation. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost to respond will be excessive.
The timescale for processing an access request will also shorten – you will have a month to comply rather than the current 40 days.
You will have some grounds for refusing to grant an access request. However, you will need to have clear refusal policies and procedures in place, and be able to demonstrate why the request meets these criteria.
You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected. If your organisation handles a large number of access requests, the impact of the changes could be considerable.
Find out more about the right of access under the GDPR.
7. Prepare for new rules regarding children's personal data
The GDPR has new provisions that aim to enhance the protection of children's personal data. These include:
- clear privacy notices for children - where services are offered directly to a child
- parent/guardian consent - where online services (eg social networking) are targeted at children
If your organisation collects personal data of children, you should think about putting systems in place to verify individuals' ages and to gather parental or guardian consent for the data processing activity.
8. Prepare for data security breaches
The General Data Protection Regulation will introduce a duty on all organisations to report certain types of data breach to the ICO, and in some cases to the individuals affected.
Under the DPA, some organisations already have to notify the ICO or other bodies when they experience a data breach. However, under GDPR this duty will now apply to all organisations if the breach is likely to cause significant detrimental effect on individuals, eg:
- result in discrimination or damage to reputation
- cause financial loss, identity theft or breach of confidentiality
You should put in place clear policies and procedures to ensure that you can detect quickly any data breach, react appropriately and notify in time where required. Find out more about the breach notification duties.
9. Prepare for 'privacy by design' and privacy impact assessments
Under GDPR, you will have to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities. Find out more about the 'privacy by design' approach to data protection.
You must ensure that you have clear policies in place to prove that you meet the required data protection standards under the GDPR. You can follow best practices for accountability by establishing a culture of:
- monitoring, reviewing and assessing your data processing procedures
- minimise data processing and retention of data
- building in data protection safeguards, including regular staff training
As an integral part of this 'privacy by design' strategy, you may need to carry out a privacy impact assessment. The assessment will help you to identify and reduce the privacy risks of your projects.
Under GDPR, you will need to carry out a privacy impact assessment:
- when using new technologies
- if the processing is likely to put at risk the rights and freedoms of individuals
Find out more about privacy impact assessments.
10. Appoint a data protection officer (DPO)
The GDPR will require some organisations to designate a DPO. For example, public authorities or those organisations that regularly and systematically monitor individuals on a large scale.
You may appoint a single DPO to act for a group of companies, taking into account their structure and size. An organisation can also designate a DPO on a voluntary basis, however the same requirements will apply to his or her designation, position and tasks as if the designation had been mandatory.
The DPO's role is to facilitate compliance with the provisions of the GDPR within an organisation. Find out more about the role of Data Protection Officers.
11. International data transfers
The General Data Protection Regulation imposes restrictions on the transfer of personal data outside the European Union. It does so to ensure that the level of protection of individuals have under the GDPR is not undermined.
Under GDPR, you may be able to transfer personal data:
- subject to appropriate safeguards
- on the basis of the ICO's decision regarding levels of protection in specific territories
Read more about the transfer of data under the GDPR rules.