The General Data Protection Regulation will come into force in all of the 28 Member States of the European Union (EU) on 25 May 2018. This will herald a significant change in the regulatory landscape for data protection giving EU citizens greater control of their personal data. The new Regulation directly affects both EU and non-EU based businesses as it applies to organisations processing and holding personal data of data subjects in the EU, regardless of the organisation’s location. Non-EU data controllers and processors must comply with the European data protection obligations when they have an establishment in the EU or if they offer goods and services in the EU or monitor behaviour of individuals in the EU.  Organisations based outside the EU which are captured by the GDPR must appoint an EU-based representative. The impact of the GDPR will also be felt by businesses in any supply-chain with EU based organisations as these organisations will be seeking to ensure that the processes, policies and safeguards in place with all their sub-contractors meet GDPR standards. The new GDPR also introduces significantly higher fines for GDPR breaches:
  • Some contraventions will be subject to administrative fines of up to €10,000,000 or, in the case of undertakings, 2% of global turnover, whichever is the higher.
  • Others will be subject to administrative fines of up to €20,000,000 or, in the case of undertakings, 4% of global turnover, whichever is the higher.
so what should you be doing ?
Due to the wide scope of GDPR it will cover more many more businesses than before.  If you have not already started getting ready, with 6 months to go before implementation, you need to be getting ready now.  So where do you start…?
  1. First off you need to determine whether your organisation’s activities mean that GDPR applies.
  1. If it does next step is to conduct an information audit to fully understand personal data use and processing within your organisation. The kinds of  questions you need to investigate include:
    1. Where is personal data stored?
    2. How secure is it?
    3. Who has control and access to the data?
    4. Is it shared with third parties and other processors?
    5. What are our subcontractor arrangements? Are these sufficient?
  1. Understand the legal grounds for collecting data. Is it only consent or do you use other grounds? EFAMRO has produced some excellent guidance on understanding the different legal bases for collecting data.
If you use informed consent you need to look at information notices, policies and so on to ensure that you are being “fair and transparent” to individuals about your processing unless the individual already has this information.  Full information must be provided to individuals, more comprehensive than currently and there is increased focus on effectiveness of the communication. Notices need to be provided in accessible language which can be easily understood and should include:
  1. Identity and contact details
  2. Purposes of processing
  3. Legal basis for processing
  4. Recipients of data
  5. Transfers
  6. Retention periods
  7. Right to access
  1. Review your IT arrangements. Questions to consider:
    1. Can your IT systems and organisation processes cope with the new rights?
  • Think about subject access, data portability, right to be forgotten, recording objections or withdrawing from processing, plus deletion of information
  • Build in security measures as part of your processes e.g. encryption software
  • Ensure there is limited access
  • Limit data retention periods and consider retention periods for different types of data and/or data purposes
  1. Review your corporate data and security policies, processes and training. These will all need to reflect the new requirements and staff need to understand their obligations.
The second article in the series will be published in our next newsletter coming out on the 4th December. Debrah_Harding Debrah Harding MRS