5 Steps for GDPR Compliance
The new General Data Protection Regulation (the ‘GDPR’) is fast approaching and takes effect on 25 May 2018. The GDPR applies to all organisations and strengths the rules in relation to the protection, storage, consent and use of all data.
Non- compliance can result in administrative fines up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The GDPR is a vast and expanding area and is likely to mean that you are required to change many of your current practices and policies. Therefore, it is crucial that your business is GDPR compliant before the regulations become effective.
We know that this can be overwhelming for a business and so our aim is to simplify the process for you. We believe that the implementation of the GDPR may provide businesses with the opportunity to review ad update their current processes and procedures which may, in turn, increase the efficiency and productivity of your business practices.
We have, therefore, condensed your GDPR obligations into 5 categories:
1. Knowledge and Awareness
It is important to understand how the GDPR applies to your organisation. In addition to overall awareness, you should ensure that the awareness translates into a proactive approach to data protection within your business.
The GDPR has explicit requirements, such as responding to customer complaints within 30 days, amending and correcting or restricting the use of customer data on request, clearly defining the retention periods for the type of data the business holds and keeping a record of the type of data collected and processed.
It will also be important to classify data, implement encryption and centralise customer data management using secure software and applications. It is also important to ensure that your supplier level agreements and contracts comply with the GDPR rules when contracting with another business or consumer. Regular meetings between senior staff, particularly those with responsibility for data protection matters, should be undertaken to improve and ensure your compliance with the GDPR throughout your business.
2. Put someone in charge
The nature of your business may mean you are required to appoint a Data Protection Officer under the GDPR. The Data Protection Officer will be responsible for defining procedures for the business and overseeing your data protection practices to ensure GDPR compliance. They will also be the first point of contact within your business for matters relating to data breaches, training your employees and conducting regular audits and reviews of the business’ measures and the implementation of such measures.
3. Review your current practices (both external and internal)
The GDPR requires documented procedures for many things, including defining the legal basis for using the data that your business acquires; delivering privacy notices; acquiring explicit consent from people when required (including online consents – so check your website consents); managing access to data by users; handling request by customers and training employees in data handling. It would be useful to develop a guidebook of procedures for your business.
4. Meet technical requirements
The GDPR has been implemented to address, amongst other things, changes in technology and how data is processed using technology. Under the GDPR, personal data has been broadened to also include online identifiers and location data, which would include IP addresses and mobile device ID’s as personal data. Your business should first undertake a detailed technical assessment to understand what you currently have in place. As such, we also work closely with out in- house IT team to ensure that your technical processes are GDPR compliant and provide you with advice on technical changes you may wish to make to make your processes more efficient.
The GDPR also introduces the concept of pseudonymising data, by utilising technical measures like hashing, salting or encryption such that it no longer identifies an individual without the use of additional information. By pseudonymising your data, you could particularly limit your business’s liability under the GDPR rules.
5. Define a governance structure
While best practices will no doubt evolve, your business should have a governance structure in mind to ensure that your processes keep up with any GDPR changes. On such aspect of this is to have a Privacy Impact Assessment, which would assess the risk of any proposed data us and balance that risk against the business value.
Our lawyers have extensive GDPR knowledge and are able to help you with all your GDPR requirements or questions. We are able to conduct a gap analysis of your current practices to produce a GDPR Audit with ‘Action Points’ you are required to take to ensure your business is compliant. We are also able to draft GDPR policies to record your compliance.
Satia Chotai – 16 May 2018