The EU General Data Protection Regulation (GDPR) aims to improve the ways that businesses handle personal data, and provide individuals with more transparency and control. The maximum fine of €20 million or 4% of global turnover shows that governments across Europe are taking data privacy seriously. By establishing appropriate controls, businesses can improve operational processes, help protect individuals’ privacy and also protect their revenue streams.
However, translating the legislative requirements into business practice by 25 May 2018 is proving a considerable challenge for many organisations. While helping clients on their journey to compliance, projects primarily focus on:
- Registering with the Information Commissioner’s Office and the future annual fee of £40 to £2,900 per applicable legal entity.
- Establishing organisational accountability, including: effective governance; Data Protection Officers if required; data protection impact assessments; change control (privacy by default and design); management documentation; training; and assurance.
- Documenting how data is processed, including: what data is used; who uses it, where and why; the lawful basis; security; and how long it is kept for.
- Ensuring that the lawful basis is correctly applied, including legitimate interest assessments and adequate consent. This includes consideration for unsolicited direct marketing to individuals, children, sensitive data and the balance of power for consent.
- Ensuring adequate contracts are in place with third parties and for international data transfers.
- Establishing adequate data security controls, often using broadly recognised schemes such as Cyber Essentials and ISO 27001, to demonstrate capabilities. Still, these certificates are not recognised under GDPR.
- Revising Privacy Notices to provide individuals with real transparency of processing.
- Preparing to handle data subjects’ requests, including the new timelines, fees and the new rights and IT enhancements.
- Preparing for data breaches and the 72-hour breach notification requirement.
While it is important to engage specialists to ensure the right approach is adopted, additional information from the European “Article 29 Working Party” and UK supervisory authority is proving a great help. Still more information is being drafted.
Through all the confusion, the businesses we speak with are clearly not willing to intentionally operate illegally. You still have time!
This article was written by Data GRC, a UK-based data protection and information security consultancy that provides outsourced Data Protection Officer services, GDPR training, compliance assessments and remediation support for clients.
Would you like to read more from Data GRC?
Perhaps you’d like to know about the role of a Data Protection Officer or understand the term “lawful basis”? Send your article requests to firstname.lastname@example.org or via the Contact Us form and we’ll do our best to answer your GDPR questions.