General Data Protection Regulation (GDPR) - 12 Areas Your Business Must Comply With
When the GDPR are enforced, breached organisations will find the fines they face increasing dramatically. From a theoretical maximum of £500,000 that the Information Commissioner’s Office (ICO) can currently levy (in practice, the ICO has never issued a penalty higher than £400,000), penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.
The ICO has stressed 12 areas that all businesses need to be aware of to ensure they meet compliance requirements:
1. Awareness – All the relevant responsible people in the business need to be aware that the law is changing and how this relates to their area of the business. Are there any areas that could cause problems? Are you aware of the resources you will need to meet the requirements?
2. Currently Held Information – All businesses should document the personal information they hold, how they acquired and who else has access to it. An information audit may be required and they will need to maintain records of processing activities. How businesses correct inaccurate information amongst those with whom it has shared this information will also need to be documented. This will ensure the accountability principle is met.
3. Privacy Notice – When information is collected from individuals, businesses have to communicate certain information including their identity and how the information will be used. This is done via a privacy notice and the GDPR requires some extra items of notification including data retention periods and the ability to complain to the ICO if there is any feeling of misuse of information.
4. Rights of Individuals – GDPR provides individuals with a number of rights including the right to be informed, rights of access, right to erasure and right to object. The rights are similar to the DPA but with enhancements. A new one is the right to data portability and companies will need to document how they will meet the requirement.
5. Subject Access Requests – Procedures for how requests will be handled will require to be updated. E.g. the change from the current 40 days to comply down to 30 days. For bigger organisations, will an online system provide information more easily?
6. Lawful Basis for Processing Personal Data – For processing to be lawful under the GDPR, businesses need to identify a lawful basis before they can process personal data. These are often referred to as the “conditions for processing” under the DPA and they specify various reasons for which data can stored and processed.
7. Consent - Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must be separate from terms and conditions and there must be simple ways to withdraw consent. If businesses are of the opinion that they currently meet the requirements, there is no automatic requirement to refresh current agreements but they must be sure their processes are adequate.
8. Children – This is a new requirement that did not exist in DPA. If an organisation collects information about children (up to 16 years old), then a parent or guardian’s consent may be needed to process this information. E.g. If you hold personal information on a student on work experience you may need consent from somebody holding parental responsibility
9. Data Breaches – Correct procedures will require to be enacted to detect report and investigate a personal data breach. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. Businesses will have to report certain breaches to regulatory authorities but where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly. A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.
10. Data Protection by Design and Data Protection Impact Assessments (DPIA) – Although previously designated as good practice, data protection by design will be a mandatory requirement under GDPR. This means that businesses have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities.
DPIAs, mandatory under certain circumstances, are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.
11. Data Protection Officers – A Data Protection Officer must be appointed if you are a public authority, carry out large scale systematic monitoring of individuals or carry out large scale processing of special categories of data or data relating to criminal convictions and offences. Will only apply to larger organisations
12. International – Relevant to those organisations that operate across national boundaries. If the organisation conducts business in more than one EU member state or affects individuals in other states that their own, they need to work out where they make their most significant decisions and determine that country as their lead data protection supervisory authority.
We will have more information about GDPR and advice on how to comply in the run up to the enforcement date. If there are any particular areas you would like advice on, please call the IGA member helpline on 0845 305 4230.