Social media activity over the weekend highlighted the fact that there were just 100 days to go until Christmas.
However: UK businesses would be wise to sideline the countdown to Santa for the moment as there’s another ticking timeline which could cost organisations up to 20 million Euro or 4% of global turnover, if ignored. In 249 days and on 25 May 2018 the EU General Data Protection Regulation (GDPR) comes into force, heralded by the Information Commissioner as “the biggest change to data protection law for a generation”.
So whilst we’re all familiar with the Army’s acronym of the Seven P’s of Planning – Proper Planning and Preparation Prevents Particularly Poor Performance – how should businesses prepare for the GDPR? The Information Commissioner’s Office has produced a 12 step checklist which highlights the key steps businesses must take now, at the eight month and counting stage. This is a summary of those 12 steps together with recommended action points:
Upskill your key people on the GDPR, it’s scope and scale.
- Information you hold
Conduct a data audit – what, where, when, why, how you use data.
- Communicating privacy information
Review and revise the content of your existing privacy notices and amend accordingly, in line with the GDPR.
- Individuals’ rights
Review and revise the content of all relevant data management policies / procedures and amend accordingly, in line with the GDPR particularly where there are enhanced rights.
- Subject access requests
Understand and implement three changes regarding additional information to be provided; no fee requirement; reduced timescale for compliance.
- Legal basis for processing personal data
Understand, identify and document your business’ basis for processing data, ensuring this basis is reflected / explained in your privacy notice.
Review and revise how your business asks for and records consent, and amend accordingly, in line with the GDPR.
Review and revise how your business verifies ages and seeks consent, in line with the GDPR.
- Data breaches
Review and revise how your business detects, reports and investigates data breaches; the GDPR imposes a 72 hour reporting timescale which if breached, can result in a 10 million Euro fine.
- Data protection by design and data protection impact assessments
Upskill on what they are; when they should be used within your business; review the ICO’s code of practice on Privacy Impact Assessments for detailed guidance.
- Data protection officers (‘DPO’)
Decide who is responsible for data compliance – assess whether the GDPR requires your business to formally appoint a DPO.
Identify your business’ supervisory authority if it operates in more than one EU member state.
At Hugh James, mindful of the breadth of coverage of the GDPR and new Data Protection Bill, we have put together a team of legal experts from across the firm who can help organisations prepare for this hugely significant legislative change. For more information, see our dedicated GDPR webpage here.