Key Features of GDPR

Below are ten areas that the Data Protection Commissioner has highlighted as significant matters to be aware of and the steps you can take to begin preparation for the new regulatory regime.

Whilst aspects of the GDPR are new, many of the requirements build upon the existing legislative framework and therefore compliance with the current Laws will go a long way towards compliance with the GDPR.

Do not underestimate the time required to ensure you are fully prepared for 2018. The value of formulating, adopting and implementing exemplary data governance and security practices lies in the rewards it yields.

Awareness

As an organisation you must ensure you are aware of the changes ahead and what they will mean for you.

  • Obtain Board and Senior Management Team support. This is no longer an area that can be the responsibility of one individual. Board level engagement is essential.
  • Consider the resource and procedural implications of putting in place robust and effective data governance for your organisation.
  • Privacy and data security are now part of corporate risk management. Add GDPR to your organisation’s risk register.
  • Task key people with keeping up to date with developments and make sure they are at an appropriate level of seniority and adequately resourced.
  • Run awareness sessions to ensure all staff are aware and up to date with the changes GDPR will bring to the organisation.
Consent

The GDPR considers consent an important part of ensuring individuals have control and an understanding of how their data are to be processed.

  • Consent must be:
    • Freely given
    • Specific
    • Informed
    • Unambiguous
  • There has to be a positive indication of agreement.
  • Consent as a basis for processing gives individuals stronger rights.
  • Data controllers must be able to evidence consent was given.
  • Parental consent to process children’s† data on the internet.

the legal definition of a child will be determined at the law drafting stage with the upper age limit required to be within the range of 13-16 years

Wider Scope

The GDPR will impact new and far reaching areas both geographically and procedurally. More organisations will be captured by the requirements and more data processing will be encompassed by the definitions.

  • Data Processors come under the remit of the GDPR and will have specific compliance obligations.
  • Organisations outside the EU, including Channel Island based companies, targeting EU citizens by offering goods or services or monitoring their behaviour will need to comply with GDPR.
  • If you have an EU presence or process data on EU citizens, you may need to nominate a representative in a Member State.
Individual’s Rights

Individual’s rights are enhanced and extended in a number of important areas. They include:

  • A right of access to data (Subject Access);
  • A right for the correction of data where inaccuracies have been identified;
  • A right to require the erasure of personal data (often referred to as the ‘right to be forgotten’);
  • A right to prevent direct marketing;
  • Control over automated decision making & profiling;
  • A right to data portability between controllers.
Subject Access Requests

As the GDPR captures more information within the definition of personal data, you must prepare ahead for access requests. Your records management systems and processes, both electronic and paperbased, must be consciously designed to support the efficient discovery of information noting that:

  • In most circumstances no fee can be charged;
  • A response must be provided within 1 month;
  • More information is required to be provided including data retention periods & rights to have data corrected;
  • Policies & procedures will need to be in place to govern refusing requests.
Privacy Notices

Empowering individuals by being transparent and clear about how their data are going to be processed, and by whom, is a key element of compliance with the GDPR.   At every point at which personal data are collected, whether that is from your clients, staff or others, review how you intend to provide the following at the time of collection:

  • Purpose of and legal basis for processing;
  • Recipients of the data;
  • Any third countries data are transferred to and safeguards in place;
  • Data retention periods;
  • The existence of individual’s rights;
  • Right to withdraw consent where provided;
  • Data Protection Officer’s contact details;
  • Whether data provision has statutory or contractual basis;
  • Details where the legitimate interest condition has been relied upon.
Privacy by Design, DPIAs

The GDPR places much more emphasis on building in effective data protection practices and safeguards from the very beginning of all processing.

  • Data protection must be considered early on in projects involving data
  • Data Protection Impact Assessments (DPIA) are best practice and likely to be mandatory in some circumstances such as
    • Decisions that produce legal effects
    • Processing of special category data e.g. health data
    • Monitoring of publicly accessible areas

Ensure such processes become routine and well documented. As business models and processes change and evolve, so too do compliance needs. Regular reviews are therefore essential and should be proactively managed and recorded.

What, Where, Why, How

A detailed understanding of your own data processing underpins the accountability aspect of the GDPR. Any effective data governance strategy has to begin with a comprehensive data audit so ensure you have detailed and documented answers to the following key questions:

  • What personal data do you hold? Do you hold any special category data?
  • Where is it from and where is it sent?
  • Why is it processed? For what purpose?
  • How is the processing lawful and fair? Which of the conditions is met? Have you provided individuals with details about the processing of their data, including reference to the rights they have?
Data Protection Officers (DPOs)

Getting ready for the GDPR requires multidisciplinary skills and approach. Identifying and supporting a member of your staff with responsibility for data protection compliance may be a mandatory requirement for your organisation. But even if it is not, having someone in place undertaking that role will be beneficial to your organisation.

The DPO role will require a solid understanding of the way your organisation operates and a skills set that stretches well beyond an understanding of legal compliance. It must include IT, data security, strategy, communication, risk management etc.

The GDPR is clear that such a role should be appropriately senior and autonomous. They will be expected to be the front-face of data protection for your organisation which will necessarily include dealing with data subjects and the Data Protection Authority.

  • DPOs likely to be mandatory for:
    • Public authorities.
    • Organisations involved in high risk processing.
    • Organisations processing special categories of data.
  • DPO must be suitably experienced and skilled.
  • Has set tasks including:
    • Inform & advise organisation of obligations.
    • Monitor compliance including awareness raising, staff training, audits.
    • Cooperate with Data Protection Authority and act as contact point.
  • Can be shared with other organisations or have other functions too but none that conflict.
Penalties and Data Breaches

The GDPR provides for a tougher enforcement approach by the Data Protection Authority including the ability to impose significant fines.

  • Data breaches must be reported to Data Protection Authority within 72 hours of discovery
  • Individuals impacted should be told where there exists a high risk to their rights and freedoms e.g. identity theft, personal safety
  • Fines can be issued up to €20 million or 4% of global annual turnover
  • Data Protection Authority can issue reprimands, warnings and bans as well as fines.

The level of fine is likely to be dependent on a number of factors including:

  • Nature, gravity and duration including categories of data;
  • Intentional or negligent;
  • Action taken to mitigate damage;
  • Security and Privacy by Design measures;
  • Degree of co-operation;
  • How Data Protection Authority found out;
  • Previous enforcement activity;
  • Other aggravating or mitigating factors.

It is essential for data protection to be integrated into corporate risk management for your organisation. Consider how you will manage breach reporting both internally and in respect of your obligations to the Data Protection Authority. If you use a data processor, be clear about your expectations in respect of breach management and ensure these expectations are incorporated into the relevant contracts.