The General Data Protection Regulation (GDPR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next twelve (12) months, several European Union law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.
Part #2 of this GDPR Series is brought to you by Mills & Reeve, a United Kingdom law firm. Other blog entries in this series will be brought to you by the law firms of Graf von Westphalen (Germany), FIDAL, (France) and VanBenthem & Keulen (Netherlands) as well as Robinson+Cole (United States).
In any major project there is an analysis phase – involving a careful examination of your organization’s current set-up and what needs to be done to deliver the project successfully. Preparing for the GDPR is no exception. Depending on the structures and practices of your organization, compliance could require a significant allocation of resources to ensure that you are ready by the implementation date: 25 May 2018.
So what can be done to get started?
Perhaps the best first step is to conduct a self-assessment audit. This will help organizations map the likely impacts of the changes in data protection law on their activities.
A few key points are worth looking at in detail:
The development and implementation of a GDPR strategy requires strong leadership and the most effective strategies will be those that begin life as a boardroom priority, not least because fines of €20m or more may be issued under the new legislation. Organizations may wish to consider be updating their risk register and organizing work-flows to ensure compliance – recording any issues and allocating responsibility from senior management downwards. Depending on the scale of your activities, this might include the appointment of a Data Protection Officer under GDPR Article 37.
‘Accountability’ is a “red thread” that runs throughout the GDPR – Article 5(2) states that controllers “shall be responsible for, and be able to demonstrate compliance with” the data protection principles, whilst Article 24 refers to controllers being able to “demonstrate that processing is performed in accordance with this Regulation”.
Organizations ought to be reviewing their framework of policies and procedures as well communicating those policies to staff and monitoring compliance. Part 1 of this series on GDPR mentioned the importance of promoting a risk-based approach and changing internal processes to comply with accountability risks. The right documentation will be key.
Know your data flows
Mapping data flows are frequently a priority. Work out where in your system personal data is received and where it is transferred out. Who has access to it and is that access necessary? Are there any security issues to be aware of at any point in your network? (eg ”internet of things” devices that connect to both your network and the internet and often do not have a high level of security – a prime example is CCTV).
Identify which of your data flows pose the highest risk to individuals. Some examples are already being heavily scrutinized under the current law – international transfers, large-scale marketing, profiling, behavioral analytics and fundraising activities are all typically deemed high-risk activities.
Fair processing information
Article 5 of the GDPR requires that personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject. One of the best ways to comply with this will be to provide clear and full information up front to individuals about how, where and why you will be using their data.
A self-assessment exercise may want to consider focus on what fair processing information is currently given to individuals at the point of acquisition of their data. Information can be collected from various platforms – marketing lists, credit reference checks, Facebook / website sign-ups, or apps. Each platform may collect the data through different means, and require different processes. What is your condition for processing the data? Are you relying on consent and, if so, how is that consent obtained? Organizations may be want to assess whether current consents are sufficient to meet the requirements under GDPR.
In particular, review whether any new projects are being planned and take a look at how privacy can be built into these from the start, particularly if they are likely to result in a high risk to the rights and freedoms of individuals.
Know your escape routes
There are a few ways in which the effects of the GDPR can be mitigated or disapplied. Remember that the GDPR only applies to data that falls within the definition of “personal data” – if you can effectively anonymize the data so that individuals are no longer identifiable then the principles of data protection will not apply (GDPR Recital 26).
Implementing technical and organizational security measures can also provide a safety net in the event of a data breach – Article 32 notes the importance of encryption of data and making back-ups. A strong self-assessment will look at what techniques are already being used to secure data, how these can be improved and how new techniques (e.g. pseudonymization) can be harnessed.
Achieving GDPR compliance is a challenge and an early self-assessment is vital. Organizations wishing to know more can track the next instalment in this series, which will focus on consent and fair processing – two of the key topics that will require considerable thought to bring activities in line with GDPR compliance.