GDPR – Where do we start?

The General Data Protection Regulation, also known as the GDPR, has been hitting the headlines recently due to significant fines and penalties that will be levied for breach of its provisions. Kate Colleary, co-founder and director, Frontier Privacy explains what this means and outlines how your business can prepare.

The GDPR aims to make businesses more accountable for data privacy compliance and offers citizens extra rights and more control over their personal data. Preparation for the GDPR must be prioritised at board level for all organisations as it will have significant impact on all businesses. Not only must organisations comply with the GDPR, they also must be able to demonstrate compliance.

Getting ready for GDPR

GDPR will take effect on May 25th 2018. With less than a year to go, it is crucial to start preparing for it now, so you can demonstrate compliance. We recommend that each business does the following as soon as possible:

1. Carry out a review of where your organisation stands currently with regard to data protection compliance. Based on the results of that review, prioritise the most urgent issues for action, create a project plan and start the GDPR project.
2. Create a data inventory – create a list of what personal data is collected and from whom? For what purpose? How long is it kept? How secure is it? Who has access to it within and outside the  organisation?
3. Consider whether you have told people what data you are collecting, why and where you are sharing it? If not, you will need to do so at the point where you collect the data, e.g., privacy notices on website, on competition entry forms and on application forms.
4. Review agreements with all third parties who have access to your organisation’s personal data to ensure that appropriate Data Protection clauses are included in the agreement. A ‘third party’ means anyone that touches upon your organisation’s personal data, such as an archive company, your cloud service provider, recruitment company etc.
5. Draft an appropriate Privacy Policy and Data Retention Policy and make them available to people whose data you collect.
6. Carry out a security review.

Penalties

Breaches of the GDPR can attract fines of €20 million, or up to 4% of group annual global turnover. There are also potential criminal consequences for breaches. So, it is important to get started on compliance now, as it will take time. Do not put it off!

Transparency and Individual Rights

The GDPR provides the following rights for individuals:

• data portability;
• access to their personal data;
• to object to direct marketing;
• to restrict the processing of their information;
• to have information erased or amended;
• to be forgotten.
• Businesses must have appropriate mechanisms in place to deal with these new rights.

Legal basis for processing

Businesses must process data fairly. That means that you must be transparent about what you are doing with data. You must also have a legal basis for the collection of data, in some cases it may be that you have to collect credit card details to fulfil a contract, in others you may rely on people consenting to your marketing activity.

According to Article 32 of GDPR, consent should be “freely given, specific, informed, and unambiguous… by written statement”. One way of demonstrating consent is to invite the customer to
tick an opt-in box confirming that they wish to receive marketing messages via specific channels (such as post, email, live phone call, etc.). It can also be done by clicking an icon, sending an email, subscribing to a service or providing oral confirmation. Silence, pre-ticking boxes or inactivity will not constitute consent.

Appointing a data protection office (DPO)

Some businesses will have to appoint a DPO, in circumstances where the business activity involves regular and systematic monitoring of data subjects on a large scale or where the business  processes special categories of data, such as health data. The data protection officer does not have to be a lawyer but must have expert knowledge of data protection law and practices. The main tasks of the DPO are the independent supervision of an organisation’s compliance with the GDPR, as well as advising and overseeing staff dealing with personal data.

Colleary & Co law firm, and its sister consulting practice, Frontier Privacy, helps clients comply with data protection requirements. From initial compliance assessments, to drafting policies and training staff, we can help. Contact: Katecolleary@collearyandco.com

This Business Support article featured in the September/October 2017 edition of The Hardware Journal.