Business Law & Compliance
The final countdown… are you GDPR ready?
6 min read
31 May 2017
We are less than one year away from the EU’s new data protection law, which begs the question of whether businesses are GDPR ready. Sarah Thompson of McGuireWoods summarises where we are now and provides some fast facts.
The regulation will have a global reach; it will apply not only to EU organisations, but to any business processing EU citizens’ personal data in order to offer goods or services, or to monitor behaviour. And failure to become GDPR ready can result in significant fines of either up to €20m or four per cent of an organisation’s global annual turnover, whichever is higher.
What’s more, the UK will still be in the EU when the regulation becomes law, and the government has expressed an intention to retain it (or implement something similar) following Brexit to ensure the continuing free movement of data between the UK and EU.
We have already received guidance at European level and from our own supervisory authority – the Information Commissioner’s Office so we are aware of what regulators expect. We still await further guidance and other tools to assist with preparations but, in the meantime, we should be doing what we can to become GDPR ready by May 2018.
Businesses that have not started to prepare by now are already behind the curve, but it is never too late to start implementing a compliance program. So here are some key questions and priority action points to get you GDPR ready.
1) What is your role?
The GDPR places ultimate responsibility for data processing on data controllers (organisations determining the purposes for which and the manner in which personal data is processed). Data processors (those processing data on behalf of the controllers) will have direct responsibilities under the GDPR and are subject to the administrative fines in the event of a breach.
Action point: Determine whether your business is a data controller or processor and become familiar with the new legal requirements.
2) Where is the data?
Before you start to implement a compliance program you will need to know what personal data you hold, where it came from and with whom you share it.
Action point: Undertake a personal data audit across the organisation, produce a personal data inventory and data flow map.
3) Are your privacy notices sufficient?
The GDPR requires data subjects (individuals whose personal data you are processing) to be provided with prescribed information. The information must be provided in a concise, transparent, intelligible and easily accessible way.
Action point: Review your data privacy notices and update to reflect the new requirements. Notices need to be regularly reviewed to ensure they cover any new types of data collected or new uses for that data.
4) What rights do data subjects have?
Data subjects have certain rights with regard to their data e.g. the right to access their data, to be forgotten, to object to automated decision making, to prevent direct marketing etc.
Action point: Determine what policies and procedures you have in place to deal with data subjects’ rights and update/implement the same to ensure they deal, and comply, with the new regime.
5) Do you need a Data Protection Officer?
It will be mandatory for public authorities and private organisations that regularly and systematically monitor individuals or process special categories of data (e.g. medical data, criminal records etc.) on a large scale to appoint a data protection officer (DPO). The role of the DPO is to advise on GDPR matters, monitor compliance, ensure policies and training are implemented and liaise with supervisory authorities. Where a DPO is not mandatory, a business may decide to appoint someone in this position anyway to show it is committed.
Action point: Decide whether a DPO is required or, if not, whether you want a DPO role within the orgnisation. Consider whether this should be an existing employee or an external consultant and, for global businesses, where the DPO should be located.
6) Can you deal with a data breach?
Data controllers will have to notify supervisory authorities within 72 hours of becoming aware of a breach and, in some circumstances, data subjects without undue delay. Organisations are also required to keep a record of all data breaches and allow supervisory authorities to inspect those records during audit exercises.
Action point: Implement a data breach response plan so individuals within the business know what do (who to report to and when).
The above is only a high level overview of some of the key issues and actions items you need to consider to be GDPR ready. In light of the significant changes some businesses will need to make and the substantial fines in the event of a breach, it is important your organisation begins or continues with its compliance program in readiness for next May.
Sarah Thompson is an employment lawyer at McGuireWoods