You should know by now that the General Data Protection Regulation 2016 ((EU) 2016/679) comes into force in all EU member states from 25 May 2018, and the British Government has confirmed that it will not repeal this law upon Brexit. This is the biggest change in data privacy law in 20 years.
The GDPR imposes a much stricter regime than under the present law, with new measures including:
- Expanded territorial scope – non-EU data controllers and processors will be caught by the GDPR if they offer goods or services to EU subjects, or monitor data subjects’ behaviour within the EU.
- Direct obligations imposed on data processors as well as data controllers – for example in implementing organisational measures.
- Higher penalties for non-compliance – there will be two tiers of penalty, with maximum fines of 4% of annual worldwide turnover or €20,000,000, whichever is higher. This is 40x higher than the current regime.
- Increased rights of data subjects – including the “right to be forgotten” and right to data portability.
- Higher standard of consent – where consent is relied upon as the basis for processing data, data controllers will need to show that it was given freely, specifically and unambiguously by the data subject. There are new rules in relation to processing children’s data on the basis of consent.
Policies, systems and procedures will need to be reviewed in advance of 25 May 2018 to ensure compliance with the new law. Businesses should consider:
- Preparing for data breaches – there is a duty to notify security breaches to data protection authorities and, in some circumstances, to the affected data subjects. Businesses will need to develop policies and rehearse notification.
- Establishing a framework for accountability – the GDPR imposes onerous obligations on data controllers. Policies and cultures should be designed to minimise risk, using impact assessments.
- Incorporating privacy by design – all new processing and/or products should be embedded with privacy principles.
- Analysing and recording the legal basis of personal data use – what data processing does the business undertake and how it is justified?
- Checking privacy notices and policies – these should be transparent, easily accessible and make provision for the enhanced rights of data subjects.
- Considering rights of data subjects – how do these compete with the business’s legitimate interests and what happens if an individual tries to exercise them?
- Reviewing cross-border data transfers – given increased fines, businesses should review grounds for transferring personal data to jurisdictions without adequate data protection regulation.
- Appointing a Data Protection Officer – this will be a requirement for some organisations
- Suppliers – consider whether they have new obligations as a data processor.
- Contracts – need to be revised or renegotiated to take account of the new duties and relationships with third parties.
Where to start?
There is so much to do that it is difficult to know where to start. However, the following project plan will help you get ready:
|Decision-makers||Build support with high-level managers to secure resources and budget. Establish cross-function compliance team.|
|Appoint DPO||Appoint Data Protection Officer to oversee compliance strategy.|
|Legal framework||Understand GDPR requirements and differences with current regime.|
|Data audit||Perform data audit, classify data by type and risk, determine legal grounds for processing.|
|Gap analysis||Review IT systems, procedures, cybersecurity and supply chain relationships to check compliance.|
|Risk assessment||Identify risks and prioritise remedial measures in areas of most significant risk and impact.|
|New solutions||Assess whether new solutions or software required; seek quotations from suppliers and conduct due diligence.|
|Supply chain contracts||Renegotiate supply chain contracts to deal with liability and cross-border data transfers.|
|Data breaches||Set up internal procedures to identify and deal with data breaches.|
|Update documents||Update privacy policies, notices and other public documents.|
|Establish Insurance||Contact insurance broker and arrange underwriting. Communicate terms of policy to management.|
|Training||Deliver training to ensure employees understand their compliance obligations.|
|Testing||Carry out a pilot test of new systems and procedures and make any necessary adjustments.|
|Monitor||Monitor effectiveness of systems and procedures. Keep up to date with GDPR guidance and refresh staff training.|
In addition to the changes in data protection, the European Commission has published a draft Regulation on Privacy and Electronic Communications (2017/0003 (COD)). It is intended that this will also come into effect in May 2018. https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications
This draft regulation deals with:
- Wifi Tracking
- Electronic Direct Marketing
- Electronic content and metadata.
There are major issues here which will need to be considered. As this is still in draft form, you will need to monitor the proposed changes as they may vary considerably from the present text. The best way to do this is to keep monitoring the ICO website for updates.
The GDPR is designed to further protect the personal data of individuals. This will require significant investment of time and money. However, these changes will also enable businesses to think more carefully as to how they interact with their customers and in the long term may well improve customer relationships with increased trust and a respect for personal privacy.
Getting it wrong is not an option. The financial and reputational damage from a breach of these new laws could well put many companies out of business.
By Christopher Evans, Consultant at Druces LLP
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.