Big organisations already have a heads-up on the new General Data Protection Regulation (GDPR) but for SMEs the impact is unclear and often confusing.
Never mind Brexit, UK business must comply
GDPR compliance represents the biggest shake-up in data protection legislation for decades, introducing new roles, responsibilities and, potentially, heavy fines. All businesses need to be aware of these and take action to minimise the risks involved.
The new legislation will replace the Data Protection Act and take full effect in May 2018. It will be automatically effective in all EU member states and, irrespective of Brexit, UK business must comply.
If you already comply with the Data Protection Act your approach to compliance will remain valid under the GDPR and will be a good place to start. Over the next few months the Information Commissioner’s Office (ICO) is planning new guidance and tools to assist. That said, start as early as you can by considering GDPR’s new transparency and individuals’ rights provision. Don’t worry, we’re covering this below.
The ICO has produced a helpful 12 step approach to preparing for GDPR. Here are some of the key points so that you have a better understanding of what is required:
Use GDPR’s two-year lead-in period to raise awareness and update your risk register accordingly.
Document what personal data you hold, where it came from and who you share it with. Post GDPR if you have inaccurate data and share this with another organisation you will have to tell the other organisation about the inaccuracy so it can correct its own records.
Communicating privacy information
Future privacy notices will now need to explain your legal basis for processing data, data retention period and right to complain.
On the whole, the rights that individuals will enjoy under GDPR are the same as those under the DPA, but with significant enhancements. The main rights for individuals under GDPR include:
the right to be informed
the right of access
the right to rectification
the right to erasure
the right to restrict processing
the right to data portability
the right to object.
Subject access requests
The timescales for responding to requests are reduced to a month and in most cases you will not be able to charge. If you refuse a request you will need to have the necessary policy and procedures in place.
It is advisable to review how you are seeking, obtaining and recording consent. Consent needs to be freely given, specific, informed and unambiguous. GDPR makes reference to 'consent' and 'explicit consent' and it is for you to provide evidence that consent was obtained.
Legal basis for processing personal data
You will need to review the type of data processing you carry out, define your legal basis for doing so and document it. People will now have a stronger right to have their data deleted, particularly where you use consent as your legal basis for processing.
In the UK that’s anyone below the age of 13, so you will need to verify individuals’ ages and obtain consent from parents or guardians to process their data. Special rules now apply to children’s data obtained from, say, social media.
Make sure you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which would fall within the notification requirement, if there was a breach.
Data protection impact assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIA): the situations giving rise to a PIA and who will need to be involved.
Data protection officers
While some organisations will need to designate a data protection officer, the important thing is to make sure that someone in your organisation, or an external data protection adviser, takes responsibility for your data protection compliance.
If your organisation operates internationally you should determine which data protection supervisory authority you come under.
Awareness is crucial if you are to minimise the impact of GDPR. If you have not already done so, start talking with your professional advisers, suppliers and distributors to co-ordinate your efforts. Some companies will set up an internal project team while others will appoint external advisers to ensure compliance.
Whatever your business, it's a good idea to get a plan in place - and sooner rather than later.