General Data Protection Regulation: Guide for businesses (Part 2)

Advice  |   10 November 2017

As the rush to get your house in order before the General Data Protection Regulation comes into force on 25 May 2018 continues to gather pace, Robert Goddard concludes his practical guide for businesses by outlining the steps you should be taking now to ensure you are fully prepared.

As the rush to get your house in order before the General Data Protection Regulation comes into force on 25 May 2018 continues to gather pace, Robert Goddard concludes his practical guide for businesses by outlining the steps you should be taking now to ensure you are fully prepared.

To view an earlier article on this subject, please click here

‘The first and most important thing for businesses to do is to ensure that they and their management team understand what the GDPR is and the rights and obligations it introduces or enhances. They then need to look at their current practices to identify anything that they are or are not doing which could cause them problems. Any areas identified as requiring attention should be considered carefully and an agreed plan put into place to address them well in advance of the GDPR coming into force’, says Robert.

Processes and procedures

Review your processes and procedures for the management of data processing and usage and for the sharing of data with other organisations. It is particularly important to develop an effective procedure for rectifying inaccurate data, or erasing redundant data where this is appropriate, both internally and externally, as rectification and erasure may also need to be undertaken by third-parties you have shared affected data with. Think about what personal information you collect and where it comes from, how you use that information and anyone you share it with.

Privacy notices

Review your privacy notices as there are additional requirements under the GDPR. You need to make it clear why you process data and for how long you hold it. You also need to make sure you are notifying individuals whose personal data you are processing about their right to complain to the Information Commissioner’s Office about your activities and that this information is being provided in plain English.

Subject access requests

Familiarise yourself with the new subject access request procedure, and ensure that you do not ask individuals to pay to access their information (unless the request is excessive or unreasonable, or is for repeat information), and that you are able to provide the data requested within one month rather than the 40-day period currently allowed. Where you believe you are justified in refusing a request, remember that you will need to give reasons explaining why this is.

Lawfulness of processing

Identify on which basis you can lawfully hold personal information and remember that if you are relying on an individual’s consent, you will need to review the personal information you already hold to ensure that the consent in respect of that information was obtained expressly rather than via implication. Also bear in mind when relying on consent to justify your processing of personal information that it is easier for an individual to insist on the right to have their data erased by simply withdrawing their consent.

Data breach policy

Review your policy on data breaches to ensure that you meet the increased accountability requirements. In particular you will need to be able to demonstrate how you detect personal data breaches, how you investigate them and how you report them to the Information Commissioner’s Office and, if appropriate, affected individuals.

Data protection impact assessment

It has always been good practice to assess risks regarding the data that you hold, but this is now mandatory in some circumstances under the GDPR – for example, if you are using new technology, are undertaking large scale processing of special categories of data or you are conducting a profiling operation which is likely to significantly affect individuals. In some circumstances, you will need to consult with the Information Commissioner’s Office to seek advice and guidance.

Conclusion

For businesses already subject to the Data Protection Act, it is almost certain that you will also be caught by the GDPR and while many of the processes and procedures you already have in place will continue to stand you in good stead when dealing with personal information, there are significant new and enhanced obligations and rights that need to be considered and which will almost certainly necessitate you making some adjustments to the way you and your staff do things. Being forewarned is being forearmed, so do not delay; take advice now to find out what you need to do and ensure that any required actions are implemented well in advance of the 25 May 2018 deadline.