The GDPR – General Data Protections Regulation – is a new data protection law, which will come into force on 25 May 2018. It will apply to all businesses operating within the EU, including businesses that are based outside the EU but that offer products or service to individuals within the EU.
1. Personal Data
The definition of personal data is becoming wider, and it could include, for example, IP addresses. Review and document what personal data you hold, how and where you collect it, the purposes for which you use it, who you share it with, etc.
2. Lawful Basis For Processing
Before processing any personal data, you will need to identify and document a lawful basis for doing so. This could be consent, but consent isn’t the only condition for processing. For example, the processing might be necessary for the performance of a contract.
The definition of consent in changing, and the standard for obtaining consent is going to be higher, if you rely on consent (e.g. to send direct marketing), check your consent mechanisms to ensure that you are going to be compliant from 25 May 2018.
4. Individual Rights
The GDPR contains new rights and enhanced rights for individuals. For example, the right to withdraw consent, and the right to be forgotten. Ensure that you understand these rights, and work out how you can enable individuals to exercise them.
5. Automated Decision Making
The GDPR will introduce protections for individual where businesses are undertaking automated decision-making, including profiling. Identify whether your operations involve decision-making, and (if so) assess how you can comply with the new requirements.
6. Privacy Policies
A key theme is transparency, and businesses are going to have to tell individual a lot more about the personal data they are collecting and processing. Check your privacy policies and identify what additional information they will need to contain.
7. Data Breaches
Certain data breaches will need to be reported to the ICO within 72 hours. The individuals affected may also need to be notified. The consequences of failing to notify the ICO will become more severe, with the ICO able to impose higher fines.
8. Data Protection Officer
Businesses will need to appoint a Data Protection Officer if they carry out large scale systematic monitoring of individuals, or large scale processing of special categories of data. Assess whether you will need to appoint a DPO, and (if so) who should perform the role.
9. Record Keeping
Other key themes are governance and accountability, and you may need to keep additional internal records of your processing activities, and undertake privacy impact assessments. Check to what extent these new requirements might apply to you.
10. International Data Transfers
Restrictions will be imposed on the transfer of personal data outside the EU. Review your operations to identify the circumstances in which you might transfer personal data outside the EU, and ensure that such transfers will comply with the conditions set out in the GDPR.
11. Staff Training
In advance on 25 May 2018, start to raise awareness of the GDPR among your employees. Nearer to the implementation date, staff should also be given training on the new law. Depending on their roles, some employees might require more in depth training.
The consequences of non-compliance with data protection laws will become more severe, with fines for serious breaches of up to €20 million or 4% of global annual turnover (whichever is greater).