Getting ready for GDPR (General Data Protection Regulations)

“Data Protection”
One of the major changes coming into effect next year will be the introduction of the General Data Protection Regulation (GDPR), on 25 May 2018, which is likely to impact on your business whether it be in the way that you deal with employees, clients or suppliers.

The legislation allows for fines of up to 4% of your business’ global revenue or €20 million (whichever is greater) as well as potential regulatory or compliance issues, it is important to make sure you are aware of the changes being implemented. Whilst many businesses are seeing GDPR as a troublesome burden on the horizon, by being prepared at every step and seeking assistance early, it does not need to be a headache for you and your business.

Here are our top tips for getting ready for GDPR:

  1. Review what personal data you currently hold, as well as asking where it is held, how it is held and why you have that data. “Data” is information from which a person can be identified such as a name, ID number, location data or IP address. Therefore, contact details such as full name and email address for a specific contact could fall under this definition. You may also need to review your company’s access to the personal data held, as well as reviewing data security.
  2. Consent and how this is obtained, recorded and managed, should be reviewed. The person’s consent according to the Regulations needs to be “freely given, specific, informed and unambiguous”. There needs to be clear affirmative action by the person agreeing to the processing of their data. The consent can be withdrawn at any time and needs to be as easy to withdraw it as it was to give the consent.
  3. Policies and procedures require immediate reviews across the board. This includes employment contracts/policies, terms and conditions, privacy policies, use of marketing databases (for such things as newsletters) and payroll procedures. Do you also need to review existing data processor agreements? If any of these need updating you should ensure that the new versions are compliant.
  4. Appraise which areas in the company are likely to cause the greatest risk.
  5. Roles and who will fulfil the roles of Data Processor and Data Protection Officer within your company need to be identified. Is there anyone within the company that would be considered as a Data Controller?
  6. Identify whether the basis for processing the data you currently hold is for a specified, explicit and lawful purpose. Do you need to review and refresh the consents that have already been given in respect of the data you hold?
  7. Awareness, being the extent to which your employees, workers, agents, are aware of GDPR, should be considered. Given the wide scope of “data” and “data processing”, and the potential consequences on the company, it is likely that most of your staff should be fully aware of the regulations and their impact. Do you need internal training to ensure compliance?
  8. Breaches need procedures for avoidance and rectification. For example, consider procedures for data breaches, which can range from an email being sent to the wrong person or a laptop or papers being left on public transport. There needs to be a system in place, which is compliant with GDPR, that not only limits this happening but also sets out what needs to be done if a breach takes place.
  9. Reduce the data you hold, where possible. This will make compliance with the GDPR easier and should be done before the regulations come into effect. GDPR will apply to “data processing” which includes not only the use or disclosure by transmission of data but also the storage and destruction of data.
  10. Transparency is key. Ensure that there will be transparency in terms of consent and procedures.

We will be publishing further blogs on GDPR and the impact on your company but if you have any questions in the meantime, please contact Rashmi Dubé or Mara Gosling on +44 207 873 2279 / +44 113 302 1330 or rashmi@legatuslaw.com