As the General Data Protection Regulation (“GDPR”) comes into force on 25 May 2018, you only have one week to get your house in order. Although the ICO has dispelled some of the media scare-mongering about huge fines, they have also made clear that there will be no grace period. They expect compliance from day one. So if you are not yet ready for the GDPR, what do you need to do now?
As the GDPR regime will largely be complaints-driven, your priority now should be to minimise your risk of complaints by putting in place the more “public-facing” requirements of GDPR before 25 May 2018. These include:
Once finalised, this policy should be easily accessible. As a minimum, this means publishing it on your company’s website.
Again, this must include the elements required by the GDPR, including what types of personal data and special category data you hold, how you process it, your lawful basis/bases for doing so and who it may be passed on to.
Think carefully about which lawful basis/bases you will rely on to process personal data, which must be stated in your privacy policies. Beware about relying on consent to process employee data, and conduct a careful assessment before relying on “legitimate interests”, including balancing your legitimate interest against the data subject’s interests, rights and freedoms. If the data subject’s rights outweigh your interest, you won’t be able to rely on this.
- A data retention and destruction policy, which may be a stand-alone policy or could be included in a broader data protection policy.
Once you have dealt with these urgent public-facing aspects, you should also take the following key steps to comply with the GDPR as soon as possible:
- Audit what personal data you have, including where it came from, where it is held, how and why you “process” it and who you share it with. This may be more difficult for consumer-facing businesses than B2B businesses.
- If you outsource any data processing to third parties (e.g. payroll administration or business-card printing), review your contracts with those processors and ensure they include the mandatory clauses required by the GDPR.
- Review your employment or service contracts.
If they refer to data protection or express or implied consent to process employees’ personal data or sensitive personal data, you may wish to update those clauses, as you cannot rely on consent in employment contracts going forwards.
If you don’t want to update your contracts, make sure that you do not seek to rely on consent given in those contracts going forwards.
- If your other business contracts with suppliers and customers contain data protection clauses, these should be reviewed and updated.
- Think about accountability and demonstrating compliance. This might include:
- considering whether you need to conduct any Data Protection Impact Assessments;
- appointing a data protection officer (if needed); and
- ensuring that you have procedures for identifying and reporting data breaches and responding to subject access requests.
- Assess/improve your cyber security
- Train Staff
As with areas such as cybercrime, staff are your best defence and greatest potential weakness in complying with GDPR.
Although there will be no “grace” period and compliance is expected from 25 May 2018, the ICO have emphasised that they are a “fair and proportionate regulator” and should, hopefully, have more sympathy for companies who have made and are making genuine efforts to comply now and in the future. So do all you can now!
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.