The GDPR doesn’t apply until 25 May 2018, is that not plenty of time to prepare?
While just under a year might sound like a long time, achieving compliance with the General Data Protection Regulation (GDPR) is not something that can be achieved overnight. We recommend that you start the process now, if you haven’t done so already.
But what about Brexit coming, can’t we just ignore it?
No, the GDPR will automatically become law in the UK before Brexit, without the need for implementing legislation. Post-Brexit, businesses will still have to comply with the GDPR where they are providing goods and services within the EU, whether as part of a single market or otherwise.
What are the key ‘game changers’?
1) Scope and cross border processing - all businesses, even those located outside of the EU, must comply with the GDPR where they offer goods or services within the EU or monitor the activity of people within the EU.
2) Change to consent - more prescriptive rules apply where relying on consent as a justification for processing; the procedure for gaining each individual’s consent must be fair and lawful, and that consent must be freely given, specific, informed and unambiguous.
3) Obligations for data processors – not only are the owners of personal data responsible for compliance, but so are those holding that data too.
4) Administering compliance –
5) Enhanced rights for individuals - data subjects are given substantial rights including the right to be forgotten, data portability rights and the right to object to automated decision making.
So how can you and your business prepare?
1) Audit – conduct an audit to establish what personal data you currently process. Where is the data stored? Who has access to this data?
2) Review – review all existing data protection policies and codes of conduct to ensure they comply with the new principles. In particular, review your internal policies and procedures to ensure that they address the transparency requirements and individuals’ rights.
3) Consent– what grounds do you currently rely on for lawful processing? How do you currently obtain consent? You will no longer be able to rely on pre-ticked boxes or bundled consent.
4) Training – spread awareness of the GDPR, training all relevant staff members on the changes, to ensure that all requests from individuals relating to personal data are dealt with and responded to effectively. This should include implementing internal breach notification procedures and incident response plans, and identifying and training any required Data Protection Officer.
5) Record– to demonstrate compliance, maintain detailed processing records of all data processing activities, including decisions relating to processing.
For further information and advice on complying with the GDPR, contact the Commercial team on 0113 220 6270.