The beginning of 2018 marked for many businesses the start of a time-consuming process of dealing with their business’s data protection. There is plenty of information about GDPR Compliance, but much advice is convoluted and complex.
Whilst we have been seeing PLCs and larger private companies giving GDPR some attention, smaller organisations that don’t necessarily have separate compliance and regulatory function are struggling to make sense of the new regulations and how to reconcile them with their businesses.
In addition, smaller to mid-sized businesses without their own regulatory, payroll and IT functions are more likely to rely upon third-party processors (Data Processors) so will have an added layer of complexity in reviewing the terms they have in place with those Data Processors.
GDPR affects all businesses that hold or process personal information about Data Subjects
This means that it affects almost all businesses in one way or another.
Compliance with the new GDPR is important because, aside from the penalties for non-compliance (up to £18m or 4% of turnover whichever is the greater), companies in breach face reputational and commercial damage, particularly if they are dealing with larger organisations who expect their smaller suppliers to comply in the same way they do.
Dealing with GDPR, however, does not need to be as complicated or as onerous as many businesses first assume.
Nor is it too late to put your company in a good position prior to the May 2018 deadline. Here at ORJ, we have been working closely with our clients in ensuring their businesses remain compliant and we set out below a checklist of the top 8 things that companies should be doing now in respect of data protection.
1. Consider appointing a Data Protection Officer (DPO) or other data protection leader. The GDPR doesn’t require all businesses to appoint a DPO (which is a statutory role), and this will depend on the business’s core activities and whether processing occurs on a large scale or actively involves regular and systematic data subject monitoring. However, even if a DPO isn’t required, each company should have a data protection “champion” to take responsibility for championing good data protection procedures and communicating the message within the organisation.
2. Communicate the importance of GDPR to senior directors and management. See also point 5 below regarding communication of data protection policies to all staff.
3. Carry out a GDPR compliance assessment. The UK Information Commission Office website contains a useful self-assessment document called “Getting Ready for GDPR Data Protection Self Assessment”. However, in summary, the review should cover:
- The business’s personal data processing activities (i.e. how the business collects, uses and otherwise processes personal data)
- What types of data are collected
- What types of Data Subjects are involved
- Why the business engages in data processing and what the legal basis is for that processing
- How is data held – think about emails, texts, physical paper files, USBs, CCTV, call monitoring software, portable devices such as hard drives and laptops
- The security controls and safeguards deployed to protect personal data (encryption etc)
- How long the business retains the personal data
- If the information is shared, consider who the information is shared with and what contracts or policies are in place to ensure that the shared information is secure
- Does the business have processes in place that would allow it to deal with Data Subjects rights under GDPR (ie a right for information to be destroyed)
In order to assess each data processing activity in line with the GDPR scope, you will have to review each activity with the GDPRs data protection principles of:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality and
4. Review and update privacy notices. Ensure any privacy notices the business gives to a data subject when they collect data from that person directly include:
- The Data Controller’s identity and contact details
- The DPOs contact details
- The intended processing purpose
- The legal basis for processing
- Details of who may receive the personal data
- Any potential cross-border transfer
- The expected retention period of the data
- The Data Subject’s rights such as rights to access and correct data as well as to withdrawal consent
- Whether providing the personal data is optional or required and whether the business uses automated decision making and profiling
- Any privacy notices including any terms that businesses may be relying upon in standard terms and conditions with their customers will need to be reviewed to ensure that they conform with the above as a minimum
6. Review existing contracts with customers and suppliers where data processing either occurs or personal information may be shared. The GDPR contains very exact requirements which provide that specific information must be set out between the parties where personal data is processed or transferred. Failure to detail certain information in contracts where data is processed and shared will automatically be a breach of the GDPR. Standard terms and conditions can present a particular problem, however, this should not be insurmountable with the correct advice. Having good contractual terms in place will also help you to minimise risk and assist you to demonstrate compliance if something does go wrong.
7. Review all processing involving employee data. Contracts of employment, handbooks, etc should be revised and it may be necessary to introduce an explicit consent form.
8. Establish a way to retain records that prove your business has complied with GDPR. The financial impact of a data breach can be significant for businesses as well as damaging a firm’s image and its reputation amongst customers and suppliers.
Our data protection team has specialist knowledge with regards to IT, litigation, employment, regulatory and corporate and commercial. Each business is unique in its size and operations and we understand that. Our teamwork with you in reviewing policies, contracts and procedures and importantly in demonstrating compliance in a way that is clear and proportional to your business.
Should you wish to discuss data protection or GDPR further, please contact Lorraine Smith at Lorraine.firstname.lastname@example.org or 01785 223440.