The GDPR (General Data Protection Regulation) is a set of guidelines that aims to protect EU citizens from privacy and data breaches. All organisations that process personal data, regardless of Brexit, will need to comply with the regulations or risk some extremely high fines.
This 10-step guide cuts to the main points and tells you what your organisation really needs to know about the GDPR.
Consent, Consent, Consent...
First (and arguably most importantly), consent to store personal data must be freely given by your customers. This means that there needs to be a positive opt-in and consent can’t be assumed from silence or pre-ticked boxes, so you should make sure that you have a clear process that allows individuals to withdraw consent, for example emailing customer service.
The Rights of Individuals
The GDPR lists the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to object
- The right not to be subject to automated decision-making including profiling.
You should revisit your procedures and make sure that you are geared up for the changes GDPR presents. Importantly, you will need to be able to present the personal data you hold in a structured, machine-readable form.
Know Your Data
You and your teams need to be fully aware of what personal data you hold, where it came from and who you share it with. The GDPR requires you to keep records of all of your data processing activities, so there could be consequences if you have inaccurate data on file.
Doing this will mean that you are in line with GDPR’s accountability principle, which states that organisations need to be able to show how they comply with the regulations – for example by having effective policies and procedures in place.
Privacy Notices & Communicating Information
Under the GDPR, there are some additional things you will have to tell people, including your data retention periods and that individuals have a right to complain if they think there is a problem with the way you are handling their data.
With this in mind we recommend reviewing your current privacy notices and put a plan in place for making any necessary changes.
Access to Data Requests
You should also update your procedures and plan how you will handle requests to take account of the new rules.
- In most cases you will not be able to charge for complying with a request
- You will have a month to comply, rather than the current 40 days.
- You can refuse or charge for requests that are manifestly unfounded or excessive
If you refuse a request, you will need to tell the individual why and that they have the right to complain – this must be done within one month at the latest.
Lawful Basis for Processing Personal Data
Many organisations will not have thought about their lawful basis for processing personal data. Under the current law this does not have many practical implications, however this will be different under the GDPR because some individuals’ rights will be modified. The most obvious example is that people will have a stronger right to have their data deleted.
You will also have to explain this when you answer a subject access request. The lawful bases in the GDPR are broadly the same as the conditions for processing in the DPA. It should be possible to review the types of processing activities you carry out and to identify your lawful basis for doing so.
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You have to notify the ICO when a breach is likely to result in a risk to the rights and freedoms of individuals – for example if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
When a breach is likely to result in a high risk to the rights and freedoms of individuals, in most cases you will also have to directly notify those concerned, so you should put procedures in place to effectively detect, report and investigate them. Failure to report a breach when required to do so could result in a fine, as well as another fine for the breach itself.
Data Protection Officers
You must assign a member of your team as a DPO if you are:
- an organisation that carries out the regular and systematic monitoring of individuals on a large scale
- a public authority (except for courts acting in their judicial capacity)
- an organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.
If you fall into one of the above categories, it is important that someone in your organisation, or an external data protection advisor, is able to take responsibility for your data protection compliance and has the knowledge, support and authority to carry this out effectively.
If your organisation operates in more than one EU state, you should determine your data protection supervisory authority. This will be the authority in the state where your central EU administration is, or where decisions are made about the purposes and means of processing data.t
This is only relevant if you carry out cross-border processing – i.e. you have organisations in more than one EU member state or you have a single establishment in the EU that carries out processing that affects individuals in other EU states.
Education, Education, Education!
It is important that all of your team members are up to speed on the new regulations – particularly those that deal with the personal data of customers or clients (e.g. Email Marketers, Business Developers, etc). Your teams will need to understand how the GDPR will affect resources and appreciate its impact.
If your organisation follows the above 10 guidelines, you will be in a better position to navigate the GDPR. The JBi team is committed to helping its clients succeed, so please feel free to get in touch with any questions or concerns.