GDPR Legislation: What Businesses Need to Do Next
The GDPR provides European citizens with crucial data protection rights, but what steps should businesses take next in order to comply? Let’s take a look.
A short while ago , we looked at the upcoming GDPR data protection legislation, the rights it affords to individuals within the EU, and how businesses may be affected. This new legislation helps to reinforce, update and unify data protection laws across all EU member states and bring them into the digital world.
Depending on the nature of your business and the operations you carry out, how much GDPR will affect your business will vary wildly. Let’s take a look at a few initial steps that all businesses should take to help stay compliant with the new ruling.
Be Self Aware with Your Data
First off, it’s important to reacquaint yourself with the role that data plays within your organisation, and how data belonging to individuals flows around both internally and externally. Take stock of the current data you hold or process, establish why you carry out these actions, and put together a picture of what you do with the data. As well as familiarising yourself with your current data practices in the context of GDPR, this exercise might also provide useful opportunities to streamline current operations too.
Remember that this ruling relates to any data belonging to individuals, and is not limited to data from prospects and clients; personal information about your staff also counts. This might include things like HR records, payroll, personal contact details as well as payment information and history.
Evaluate your lawful basis for holding and processing any such data, and establish if there is any redundant or non-essential data being held. You also need to be aware of how that data is stored and how secure any data storage medium is. Heighten defences and address any potential security issues such as breaches, leaks or hacks.
Once you have a full picture of the role data plays in your organisation, carefully study the new legislation and explore the new rights available to individuals. Honestly evaluate how compliant your current systems are with the new rules, and make a note of any places where your existing data processes will need to change.
Establish what needs altering and appoint a Data Protection Officer to take responsibility for your compliance. Your DPO should also keep your team aware of their new responsibilities under the new legislation, and should generally help you achieve the goal of total compliance before the 25th May 2018.
Consent and Individuals’ Wishes
Consent is an important concept that underpins GDPR, and needs to be actively and freely given by the individual. When consent is sought, you need to explicitly state what data storage and processing you will be carrying out. Soft opt ins, implied consent and consent through pre-ticked boxes or inaction is no longer allowed.
When you look at your existing data practices, establish what you are currently doing with data and how the related individuals have opted in. If consent has been merely implied, then you need to seek proper, informed consent immediately before any further actions can take place with the data. Also ensure that future data collection practices allow for people to knowingly consent to your intended actions going forward. All methods for consent need to be provable and auditable in case someone makes a claim against your company saying you’ve used their data without permission. If individuals’ data flows outside of the organisation, additional consent may also be required.
One common use of data by companies on a day to day basis is the sending of marketing communications. GDPR rules state that explicit permission must be sought for marketing contact to continue, and even if consent has been given in the past, opting out should be made easy for the individual.
If you use automated profiling systems that make significant legal or financial decisions about individuals without human intervention (for example profiling for insurance eligibility), you need to be aware of the new rights to opt out/object from these practices. If your company does use this kind of profiling, you should put systems in place that allow individuals to seek a second opinion from a human decision maker and give their side of the story.
Because individuals will now have a right to object from certain uses of their data, you must keep data belonging to any kind of objector separate to ensure that their data isn’t used for a non-consensual activity, even by accident.
Informational Access & Accuracy
Individuals will now have the right to rectification, so you need to make sure your systems allow for any incorrect data held about people to be edited easily and auditably, or for complete deletion of identifiable data should the person wish.
People will also have rights of access, meaning that they will be able to request a digital copy of any data you hold about them. There was previously a £10 fee payable by the individual for such access under the Data Protection Act; but access under the GDPR has to be provided for free unless the request is “manifestly unfounded or excessive”, in which case a “reasonable fee” can be charged.
If exporting a digital copy of someone’s data is difficult or laborious under your current systems, it will most likely pay to make the process easier as you tweak your systems in line with the new ruling.
Be aware that people will have a right to ask whether you hold data about them, what data you hold, why you hold it, what you do with it, and how long you intend to hold it. Train your staff in your new privacy policies so they have the answers to these questions ready. Always make sure your answers are reasonable and give a strong lawful basis for carrying out your activities.
Prepare for Possible Data Breaches!
As you redesign and reframe your processes around the new legislation, also work in systems to alert your team as to any potential data breaches. These systems should also help to provide an assessment of the severity of any leaks and allow for further investigation into what went wrong.
Depending on the severity of the breach, you may also need to report it to your supervisory authority, and investigate what happened. Ensure that the findings of your investigation can also be reported to the supervisory body as appropriate.
A Couple of Specific Conditions…
If you store or process data belonging to children, there are increased responsibilities to protect their interests under GDPR. If you provide services to under 16’s, you need to provide privacy notices in language they’ll understand. Online services provided to under 16’s that involve data processing may require consent from a parent or guardian to process the child’s data.
If you are a public authority (with some exceptions for courts); an organisation that monitors individuals en masse; or an organisation that processes personal details such as health or criminal records, you must appoint a Data Protection Officer.
DISCLAIMER: This blog post is provided only as a guide to the new GDPR legislation and should not be considered legal advice. Quality Systems Solutions Ltd advise you to seek your own appropriate legal counsel.
Overview of the GDPR from the Information Commissioner’s Office (ICO)
GDPR: 12 Steps to Take Now from the ICO
Getting Ready for the GDPR Checklist from the ICO
“What Is GDPR?” from the University of Roskilde, Denmark