The General Data Protection Regulation (GDPR) is a key subject for businesses at the moment, but what does it actually mean and how ready are businesses? Julia Seary, Company Commercial Partner at Roythornes Solicitors, shares her top tips for approaching GDPR.
A recent survey – which evaluated businesses’ approach to, and compliance with, the implementation of GDPR on 25 May – revealed that as little as seven percent of those asked felt prepared for the change in law. Whilst a small majority felt somewhat ready, almost 30% did not feel ready at all or were not even aware of this new piece of regulation.
This level of preparation was reflected at a seminar I held at the end of last year on GDPR – it was one of Roythornes’ most well attended events of 2017 and we noticed the particularly high volume of questions asked.
It was clear from our discussions that each business and industry has different ‘pain points’ with the introduction of GDPR. I have, therefore, pulled together a handy nine-point action plan:
- Nominate a GDPR lead or Data Processing Officer (DPO)
Having a person to front the initiative will be very important when the regulation comes into force in May. All staff must be adequately briefed, but one person leading on GDPR will ensure that the regulation is given the necessary priority and compliance is achieved from the outset.
- Carry out a data mapping review
This will help to inform the business what data is held, what legal basis is being relied upon to process such data and where it has come from. This is also a good time to review and update procedures and refresh any consents (if necessary).
- Update your customer facing privacy notices
This step is essential due to the fact that businesses must now ensure that customers are informed as to exactly what businesses intend to do with their data. Take this time to also remove any pre-ticked consent boxes and replace them with opt-in boxes.
- Review and update all relevant data-related policies and procedures
Look at internal processes to see what data is held, why it is still being retained and most importantly how the data is processed and protected. This could include processes such as reporting on potential breaches and deleting data upon request.
- Clarify and document the legal basis that you are relying on for processing data
This is really important with regard to consent – if you are relying on consent as the legal basis, check if consents are valid and if not then re-approach contacts to gain consent or delete the data. Valid consent is now harder to obtain and must be an affirmative action – be sure to keep an audit trail as the burden is on the business controller to demonstrate compliance.
- Check your marketing lists
Check that all marketing lists comply with the new regulation. If the business has acquired a list, ensure that the targets have consented to their data being transferred. I would also suggest having a ‘stop list’ to make sure individuals are not contacted if they have objected or not given their consent.
- Check your IT systems can properly support compliance
I would highly recommend doing an IT system check to ensure that the business can respond to requests and easily rectify data errors, strip out any redundant data and transfer data in response to consent. Also consider whether data should be encrypted and monitor changes to data and record these changes.
- Review all third-party supplier arrangements with regard to the new regulatory requirements
Third party suppliers, such as back-office support outsourcing, IT cloud storage providers and delivery haulage companies, need to have their agreements checked to ensure that processing of any personal data is governed by a written agreement. This must contain prescribed guarantees in terms of the processor’s technical and organisational measures and record keeping but also obligations on the processor to act only on your instruction.
- Consider staff training and ongoing audits
Ensure staff are adequately briefed and carry out ongoing audits. Training and educating staff to identify risks and red flags should help to avoid any data protection catastrophes down the line, as will continually reviewing processes to ensure the business remains compliant.
- Go through and double check everything
Above all, the key take-home message is that you must have a lawful basis to process individuals’ data. This does not have to be explicit consent but you should be clear as to what basis you are relying on. In addition, transparency towards individuals is key. Whether it be in regard to marketing bulletins, IT security, customer relationships, employee data storage or data transfer, the core principles of data protection remain but with tighter controls.
There are many new rules coming into force but the crucial aspects to bear in mind for any industry are; the tighter scope of explicit consent (do you have it and, if not, how do you legally get it), increased transparency (the new ‘right to be forgotten’ and ‘right to be informed’ rules) and the need to demonstrate compliance if the Information Commissioner’s Office (ICO) suspects any misconduct.