GDPR

25th May 2018 - GDPR Deadline for Compliance

What to do?

• Conduct an internal audit
• Create written documentation
• Remove data security
• Provide proof of data removal
• Deliver customer communications
• Incorporate mobile-device management
• Collect data responsibly
• Drive cross-department collaboration
• Implement education and training
• Appoint a data-protection officer
• Monitor risk management

10 things you need to know

1. Scope

Where a business is based outside of the EU, but offers goods and services to individuals in the EU, or monitors their behaviour, the GDPR will apply. This will catch many more businesses than previously, including those based in the US and in post-Brexit Britain, even if the UK does not keep the GDPR in its national law. Also, unlike the current law, the GDPR puts obligations on data processors (organisations which work with personal data on behalf of other organisations) as well as data controllers.

2. Accountability and Transparency

The requirement to register (“notify”) with the Information Commissioner's Office (“ICO”) will be scrapped. Instead you will have to keep full records of any data processed, including the type of data and the purpose it is used for. You will also need to give much more detailed notices to people you collect information from.

3. Data Protection officers (DPO)

You may need to designate a DPO to take responsibility for data protection compliance. Their tasks will include liaising and cooperating with supervisory authorities and monitoring compliance. The DPO will need sufficient expert knowledge of data protection law and practices to conduct Privacy Impact Assessments and ensure appropriate policies are in place.

4. Consent rules

Consent to processing of personal data must be freely given, specific, informed, unambiguous and displayed by a statement or by a clear affirmative action. Individuals have the right to withdraw consent at any time.

5. Transfers out of EEA

Parallel legal developments to the GDPR have made this a very hot topic. The old “Safe Harbor” scheme is no longer effective to transfer personal data to the USA and has been replaced by a new EU/US “Privacy Shield”.

6. Subject Access Requests

The rules governing subject access requests will change. You will not be able to charge for complying with a request and will have a month to comply rather than the current 40 days.

7. Data portability

A new concept of data portability has been introduced. This will enable data subjects to transfer their personal data in a commonly-used electronic format from one data controller to another, enabling people to

8. Right to be forgotten

An individual can require that their personal data is erased if it is no longer necessary, if consent is withdrawn and on grounds relating to the individual’s "particular situation".

9. Breach Notification

The GDPR imposes a mandatory breach notification scheme. Breaches (accidental or unlawful loss, alteration or unauthorised access to personal data) will have to be reported to the ICO within 72 hours. You may also have to report to the individuals whose data has been compromised.

10. Fines

A two-tiered sanctions regime will apply. Certain breaches will attract a fine of €10m or 2% of global annual turnover, whichever is greater. Fines for more serious breaches will be as much as €20m or 4% of global annual turnover. The ICO can also impose a total ban on data processing by the organisation found to be in breach of its obligations.