Taking Action On The 12 Steps
Ensure that key individuals within your organisation are aware of the changes to the law and what it means for your organisation.
In an ideal world these key individuals will undertake some form of training so that they fully understand the impact of GDPR, and how to comply with GDPR going forward. We can provide tailored training for your organisation or there are free webinars available on the internet.
Conduct an audit and document the personal data you hold to include where the data came from and who you share it with.
While this task is not overly complicated, it is likely to be the most time consuming. From 25 May 2018 any personal data held by your organisation can only be held for “specified, explicit and legitimate purposes” and must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. In these circumstances, the only way to ensure compliance with GDPR is to understand and document exactly what data you hold. We can provide a free data audit template to get you going.
Review and update your organisation’s privacy notices and contracts with processors (third parties who process data on your behalf)
Under the existing law (Data Protection Act) you are obliged to inform individuals of who the data controller is, the purposes for which their information will be processed and any further information which is necessary to enable the processing to be fair. The key change under the GDPR is a shift of focus to ensure that the same information is provided in a clear and understandable format.
Most organisations will require multiple privacy notices e.g. for their employees, customers, suppliers. If your organisation holds personal information for children you will be obliged to have in place a notice that they can easily understand. Your privacy notice should include both the lawful basis and reason for processing the information.
If you are relying on a third party to process data on your behalf (payroll providers, IT hosting etc) under the GDPR you are required to have a contract in place with the processor. The GDPR sets out that a processor must only act with the written instructions of the data controller and that the contract must include certain provisions. Furthermore, you are under an obligation to ensure that you only contract with third party processors whom can provide sufficient assurances that they will comply with the GDPR when it comes to processing the data they process on your behalf.
If you are a data processor and require advice in relation to your terms and conditions with data controllers (your clients) please seek further advice. We are able to provide template clauses which can be incorporated into your terms and conditions and ensure compliance with the GDPR.
Check and update your policies and procedures which deal with individuals rights including how and when you will delete personal information and respond to requests.
Under the GDPR individuals have the following eight rights; the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision making and profiling. Under the GDPR organisations are going to be expected to satisfy the ICO that they are complaint. A key piece of evidence in this regard will be your policies and procedures which should include how your organisation will deal with the eight rights of individuals.
You will need to update your policies and procedures for handling subject access requests. The law has changed in that you can no longer charge for providing the information and you must comply to a request within one month (40 days under the DPA).
If a request is excessive or repetitive you can charge a “reasonable fee” or refuse to respond but these should be the exceptions rather than the norm. You can also extend the period for providing the information by a further two months if the request is complex or numerous. If you are thinking of relying upon either exception we suggest you first seek legal advice.
You are required to identify the lawful basis for processing any personal information processed (which includes storing/holding and deleting) by your organisation. This should be documented in your privacy notice.
The lawful bases for processing information are set out in Article 6 of the GDPR, they are as follows:
- Necessary for the performance of the contract;
- Necessary to comply with a legal obligation;
- Necessary to protect someone’s life;
- Necessary to perform a task in the public interest;
- Necessary for your organisations or a third parties legitimate interests;
You will need to review how your organisation seeks, records and manages consent under the new rules. Under the GDPR it will not be possible to rely upon pre-ticked opt-in boxes and proving valid consent will be far more difficult than under the DPA.
The GDPR has set a higher threshold for obtaining consent than under the DPA. Consent must be unambiguous and involve a clear and affirmative action. Pre-ticked opt-in boxes are specifically identified as being non-compliant. For consent to be validly given it also needs to be separate from your organisation’s other terms and conditions and not a precondition of signing up to your organisation’s services.
If your organisation processes children’s information, you will need to implement a system to identify children’s ages and obtain parental or guardian consent. You will also need to ensure that you have in place a privacy notice that can be easily understood by children.”
The GDPR states that a child under the age of 16 cannot give valid consent for processing of their personal data and that if consent is the lawful basis upon which your organisation is seeking to rely upon, that consent is required from a person holding parental responsibility. However, in the UK they are proposing to reduce the age of valid consent to 13.
Your organisation will be required to have systems and procedures in place for detecting, reporting and investigating any personal data breaches. Under the GDPR your organisation will be obliged to notify the ICO and the individual concerned of certain breaches within 72 hours of the breach occurring. A failure to notify within the 72 hours is likely to lead to an increased fine.
The ICO requires a notification where the breach is likely to result in a risk to the rights and freedoms of individuals. The most obvious examples are if data has been lost or stolen. Your organisation will be required to notify the individual if the risk to their rights and freedoms is high. If you are in any doubt as to whether a breach should be reported please contact us without delay.
Under the GDPR your organisation will have an obligation to show that you have implemented measures to protect individual’s data. Furthermore, you will be required to undertake Data Protection Impact Assessments (DPIAs) where data processing is likely to result in high risk to individuals.
The ICO has described these elements as “Data Protection by Design” – this is best explained as the change of culture the ICO are expecting organisations to introduce when it comes to protecting and handling individuals’ data.
If a DPA suggests that the processing is high risk and it will be difficult to address those risks, your organisation is required to consult with the ICO.
The ICO has listed the following as examples of when it will be necessary to conduct a DPIA:
“where a new technology is being deployed”
“where a profiling operation is likely to significantly affect individuals”
“Where there is processing on a large scale of the “special categories” of data”
Consider whether your organisation is required to appoint a Data Protection Officer (DPO) and either way, designate responsibility for compliance with the GDPR to an individual or group of individuals.
Your organisation must appoint a DPO if you are:
- A public authority (including Academies);
- An organisation that carries out the regular and systemic monitoring of individuals on a large scale; or
- An organisation that carries out large scale processing of special categories of data including health records and criminal convictions.
If your organisation operates in another EU state you will need to identify your lead data protection supervisory authority.
This will involve identifying where your organisation’s “main establishment” is located for the purposes of GDPR and then identifying the relevant authority.
You may feel comfortable undertaking some or all of these tasks without the benefit of legal support, whereas other organisations may wish to engage our firm to assist them with each aspect of preparing for the GDPR. We are able to provide specialist and expert support to meet your needs whether that is undertaking discreet tasks such as drafting privacy notices and policies, advising on particular areas such as retention periods, the appropriate legal basis for processing or your organisation’s method of obtaining consent or full consultancy.
If you are interested in further support please contact
Partner, Solicitor, Head of Business Services