In the second series of our GDPR Blog posts, we look at the Internal Impacts of GDPR for Organisations
On the 25th of May 2018, GDPR will come into action and effect all businesses and organisations – preparation is key. There are multiple areas that GDPR will impact, therefore it is important to consider different aspects as you prepare over the coming months.
The high-level price for any organisation comes in three forms:
- Financial cost
- Change (often the most difficult element for organisations)
Investing in these elements now is strongly advised, as the consequences of non-compliance will be significant.
To achieve compliance – processes, practices and/or systems may need to be amended. An organisation will need to set aside a sufficient budget and time investment to allow for the upcoming changes. In order to assess what changes are required, it would be prudent to assess what gaps are existent between current practice and the new obligation.
The way in which data is processed, communicated, and shared will need to be reviewed within all organisations that are controlling/processing data with GDPR compliance in mind.
GDPR outlines the principles relating to the processing of personal data, Article 5  gives guidance on the necessity of processing to be lawful, fair and transparent; with purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
To ensure an organisation can demonstrate this, prudence would dictate preparedness to justify your need and purpose for the information, along with ensuring that the information processed is proportional and legitimate to collect and securely processed.
- Individual rights
GDPR will grant individuals a number of rights.
- It allows them to request to have the data corrected if inaccurate
- In certain instances have data erased/to have the information forgotten
- To restrict the processing of their information
- The right to data portability
The individual also has the right to notification regarding the rectification, erasure or restriction of the personal data.
Under the GDPR, individuals have the right to object to the processing of data; the responsibility sits with the data controller to justify their legitimate processing of the data.
Processing of data needs to be justified and proportional. Justifying lawful data processing can be done by ensuring the data is processed under the following rationale:
- The requirement for the performance of a contract the data subject is a party,
- A legal obligation
- Vital interests of the data subject or another natural person,
- In the public interest or official authority,
- Legitimate interests except where fundamental rights and freedoms of the data subject which require protection of the personal data.
Additionally, the individual has the right to access the data that is processed and held on them. This facilitates the exercising of the individual’s rights regarding their personal data. An organisation will need to prepare for these requests – this would be achieved through ensuring knowledge of where, what and how all data is held.
As an organisation that currently holds data, it is important to ensure you are aware of what information you are presently holding.
A key step in ensuring accountability for data is by making an inventory of all data and accessing:
- Why is it being held?
- Is it still needed?
- For what purpose was it attained?
- How long it is needed for?
- How securely is it held?
To ensure you are accountable for data, it would be prudent to assess if any of this data is shared with third parties, and if so on what basis and where would that data be sent. For example, if transferring data to a sub-processor, it is required under Article 29  that consent from the controller is attained.
Assessing what data you hold and why, gives you a clear vision of; where processes, systems and practices may need amendments; to ensure best practice and GDPR compliance; and also answer key questions of need, purpose, proportionality and legitimacy.
- Contracts and Due Diligence
With GDPR in mind, reviewing contracts would be required.
Contracts with controllers, processors or sub processors should be reviewed to ensure that compliance is being met up and down the stream of data flow. The controller is responsible for ensuring they are able to demonstrate compliance with the principles of processing ensuring they are accountable. A controller in addition to any imposed fines or processing restrictions from the Data Authorities may be liable to compensate any data subject where processing infringes GDPR and damage is caused.
Where a processor or controller has paid full compensation, they are entitled to claim back the portion of the compensation from other processors or controllers for the extent of the damage they are responsible for. However, a controller or processor shall be exempt from liability if they prove they are in no way responsible for the event giving rise to the damage.
This highlights the importance of ensuring contracts are explicit in the requirements for adhering to GDPR and performing adequate and robust due diligence.
- Data Privacy Notices
Data privacy notices may need to be updated to ensure they are clear and concise in content, and explicit in alerting persons to the collection and use of data.
The use of the data should include information such as:
- Notification of the collectors’ identity
- The reasons for gathering the data
- The use(s) it will be put to
- Who it will be disclosed to
- If it’s going to be transferred outside the EU
- The legal basis for processing the data
- Retention periods
- The right of a complaint where customers are unhappy with your implementation of any of these criteria
- Whether their data will be subject to automated decision making
- The individual rights of the person under the GDPR.
It should also include an easy means of withdrawing consent after it is given and a data subject has this right at any time
Communicating the changes to stakeholders is essential for preparedness.
Provision of staff training and ensuring staff understanding is a fundamental aspect of GDPR compliance, as staff will in many cases be the individuals processing and securing personal data. Staff understanding cannot be overstated.
Where working with other controllers or processors, communicating with them the changes and responsibilities of each party is key to ensuring that all parties are compliant with GDPR.
- Record keeping and Breach Reporting
Controllers and processors are required to keep a record of the processing activities they undertake.
It is important to note that at any point, a controller or processor may be required to present this record to the supervisory authority.
Communicating the breaches to the supervisory authority is required of the controller as soon as is feasible; with that in mind, this should be done no later than 72 hours. If later, the notification should come with an attached explanation.
Communication is not required in some instances where a data breach is unlikely to cause risk to rights or freedoms to the data subject. Nonetheless, the controller should document all breaches, facts relating to the breach and remedial action taken.
A processor must notify the controller without undue delay to allow them to achieve there requirement and must satisfy their own recording requirements.
With regards to the data subject, the controller is required to notify the subject without undue delay if the risk is high to the rights and freedoms of a natural person.
- Data Protection Officers
With the GDPR in place, some organisations will be required to assign a Data Protection Officer.
- Government departments
- Organisations who process personal data regularly, systematically or on a large scale and categories of data that are considered special categories such as health data.
A Data Protection Officer will have professional standing, expert knowledge, be involved in the business methods properly and in a timely period. Part of their role will be to act as an intermediary between all stakeholders and to monitor compliance.
One of the aspects a Data Protection Officer will be involved in will be Data Protection Impact Assessments. These are assessments performed where a type of processing, particularly using new technologies, may present a risk.
As the date GDPR comes into effect is approaching in May 2018, it is now time to begin addressing the needs of your organisation to ensure you are prepared. The above content outlines some key areas of consideration to undertaking.
Stay tuned for our third blog post, where we will discuss ‘How Technology Supports the GDPR’.
In our first blog, ‘What is GDPR‘, we outlined the basic principals of the upcoming GDPR legislation.
As the General Data Protection Regulation (“GDPR”) (EU) 2016 / 679 has not yet been implemented, further guidance is expected to be issued by the relevant European and national supervisory authorities in the coming months. Consequently, the above information is subject to a relatively wide degree of interpretation and is likely to change / be amended over time. Therefore, this information should be treated as incomplete and for informative / educational purposes only. If you would like to learn more about the GDPR and its effects please contact your legal advisor with any queries.
For referencing purposes, please find a downloadable copy of the GDPR legislation – here