Companies should start their GDPR compliance implementation process as soon as possible.
The General Data Protection Regulation (GDPR) becomes effective on 25 May 2018, and its implementation will require a comprehensive plan to ensure that its impact on your organisation is fully assessed, understood and mitigated.
A lack of compliance with the Regulation can expose your company to significantly tougher fines than the current fines imposed for breach of the Data Protection Act.
A lack of compliance with the Regulation can expose your company to significantly tougher fines.
The Regulation will elevate data processes and protection to Board level for ongoing attention and review.
The following are some key points to consider when planning for GDPR:
1. Board-level buy in
All companies should make key decision-makers and executives aware of the new Regulation and its potential impact. From there, companies can move forward with confirming or implementing controls and procedures related to GDPR compliance.
This may include determining and documenting whether it is mandatory for the company to appoint a Data Protection Officer (DPO). If the company determines a DPO not to be mandatory, the organisation may want to consider voluntarily appointing a DPO. Alternatively, the company may assign a designated person with responsibility for data protection compliance and deciding where they will sit in the organisation’s structure.
Companies should consider whether to conduct a Data Protection Impact Assessment (‘DPIA’), effectively a data protection risk assessment. The DPIA process is recommended by the Information Commissioner's Office (ICO) to all organisations handling personal data. It can help in the early identification of problems, potentially reducing the risks of fines being imposed, the risk of reputational damage, and costs that may be associated with remedying a breach of the Regulation. DPIAs are mandatory where the envisaged data processing activity is likely to result in a high risk to the rights and freedoms of people, and they must be completed prior to carrying out the processing activity.
2. Information analysis
Consider conducting an information audit to establish what personal data your company holds.
Consider conducting an information audit to establish what personal data your company holds, what it is used for, where it came from, who it is shared with, and how it is stored and transferred. This audit may help determine whether your organisation is i) a controller, ii) a processor or c) both, and what contracts are or should be in place, including what changes need to be made to existing contracts. Furthermore, reviewing existing data-related policies and other documents is important. This includes the process of identifying and documenting the changes that need to be made to existing policies and documents.
3. Individuals’ rights
Check your policies and procedures to ensure that all individuals’ rights are covered, such as the ‘right to erasure’ (the right to be forgotten) and that individuals’ data can be provided to them in a commonly used format. This should be reviewed across all data collection formats such as the internet, call centres and paper. Similarly, how consent to collect is sought, obtained and recorded should also be reviewed and necessary changes made. Data subject access requests should also be considered with respect to the new timetables and how additional information will be provided.
4. Communication and data breaches
Review privacy policies, procedures and documentation and update them, where appropriate, to ensure they are GDPR compliant. Data breach detection, reporting and investigation should also be planned for and thoroughly tested, with robust incident management processes in place.
For more information, please contact Max Perkins on:
+44 0)20 7933 2694
Please note that the purpose of this article is to provide a summary of and our thoughts on aspects of the General Data Protection Regulation. It does not contain a full analysis of the law nor does it constitute a legal opinion or advice by Lockton Companies LLP on the law discussed. The contents of this article should not be relied upon and you must take specific legal advice on any matter that relates to this. Lockton Companies LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of the material contained in this article. No part of this article may be used, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, reading or otherwise without the prior permission of Lockton Companies LLP.