- The General Data Protection Regulation (GDPR) comes into effect this week, enhancing the data protection regime across the EU
- The UK Government has confirmed its commitment to the GDPR, and to enacting equivalent provisions under the Data Protection Bill in the event of Brexit
- While controllers must be prepared to demonstrate compliance, Information Commissioner Elizabeth Denham has urged organisations not to panic: "25 May is not the end of anything, it is the beginning, and the important thing is to take concrete steps to implement your new responsibilities…"
What are the five things I should do this week?
The GDPR is effective on 25 May 2018. If you haven't already implemented these steps, it's time to take action:
- Notify the Information Commissioner's Office (ICO) about your processing activities. We recently reported on the UK's updated notification obligations under the Data Protection (Charges Information) Regulations 2018, which also come into effect on 25 May (read our first Data Byte Data and M&A: monetising the "new oil" for more detail). The new three-tiered structure sees large controllers charged £2,900 a year to notify their processing activities unless they are charities.
- Finalise your marketing consents. No doubt your inbox is full of requests for consent to the continued processing of your personal data for marketing purposes. Processing based on consent must meet more rigorous requirements under the GDPR. In particular, consent should be a freely-given, specific, informed and unambiguous indication of the data subject's wishes. If your marketing is based on another ground, such as "legitimate interest", make sure an assessment has been undertaken and documented in your privacy notices and internal procedures.
- Update your privacy notices. The GDPR requires that controllers produce notices to data subjects including information about e.g. the legal basis for processing their personal data, transfers outside EEA, data retention periods, rights of access, rectification and erasure and complaints procedures. Now is the time to finalise your client and employee privacy notices and to ensure that data subjects are aware of your practices.
- Implement training and internal awareness. Shiny new privacy notices and internal compliance procedures are all well and good, but it's important to educate staff who come into contact with personal data as to how their provisions should be put into practice. As part of your GDPR compliance management procedures, we recommend rolling out internal awareness programmes.
- Don't panic – we're in this for the long-haul. The changes heralded by the GDPR are detailed and comprehensive. Amid scandals such as Cambridge Analytica and well-reported data breaches, we are all becoming better educated about personal data – what it is, how it can be exploited and how it should be protected. The GDPR offers an opportunity to audit internal systems and to build trust with customers, but this will not happen overnight. Fundamentally, what we're seeing is a cultural change – and this is only the beginning…
We have not included our regular Byte-sized news round up in this issue of Data Bytes in order to focus exclusively on the GDPR. Byte-sized news will be back next time (when life goes on under the GDPR!).
