The countdown begins: two years to comply with new General Data Protection Regulation

The final text of the new General Data Protection Regulation (GDPR) has been published in the Official Journal of the EU. The legislation enters into force on 24 May 2016 and is binding on all Member States. The GDPR takes effect in two years - on 25 May 2018. A theme of the legislation is that organisations must be accountable for all their processing activities. As you will see below, organisations should be prepared to provide documentary evidence of their processing from system design to data collection and eventual deletion. The provisions of the reform package are extensive and compliance is mandatory (we summarised the legislation in our April 2016 data protection newsflash). It is vital to ensure that your business is ready for the changes. The Information Commissioner's Office (ICO) has published a checklist that sets out 12 steps you should be taking to make sure you are ready for the reforms. We summarise these below.

The ICO's recommendations

1. Key stakeholders should be made aware of the GDPR: steps should be taken to familiarise decision-makers with the GDPR in order to prepare for compliance. If the organisation has a risk register, this should be reviewed in light of the new provisions.
2. Get organised - map personal data held by the organisation: logging details of the type of information, where it came from and how you use it will help you comply with an information audit and facilitate other duties the organisation faces under the GDPR.
3. Re-examine your privacy notices: the GDPR adds new obligations on organisations to explain how they use individuals' personal data, such as the requirement to explain the legal basis for processing the data, data retention periods, and that individuals are entitled to complain to the ICO. The ICO will be releasing an updated version of its privacy notices code of practice later this year.
4. Procedures should include individuals' rights: the GDPR sets out a number of individual rights, including the right to make subject access requests, the "right to be forgotten" and the right to prevent direct marketing. These should be reflected in your organisation's procedures.
5. Prepare to handle subject access requests: while individuals are already entitled to request to see what personal data you hold on them, the rules are changing under the GDPR. In particular, it will not be possible to charge individuals who submit such requests and organisations will have less time to comply - usually only a month instead of the current 40 days.
6. Clarify the legal basis of processing: under the GDPR, you will need to identify the legal basis for your organisation's processing as this may affect the data subject's rights. The legitimate interest basis will be narrowed.
7. How are you obtaining consent? Consent must be "freely given, specific, informed and unambiguous". Controllers must be able to demonstrate that consent has been provided and sufficient information should be given to ensure that this is unambiguous. As a result, an audit trail is vital.
8. Protection of children: the GDPR introduces special protection for children's personal data. In the UK, it is likely that organisations - and social networks in particular - will need to obtain parental/guardian consent to process the data of anyone younger than 13. As with adults, it is important to have a system in place to log consent.
9. Duty to notify data breaches: the GDPR introduces the requirement for all organisations to notify data breaches to the ICO where the individuals concerned are likely to suffer harm. It is therefore important to have procedures in place to identify, report and investigate breaches.
10. Privacy by design and privacy impact assessments (PIAs):  the new legislation requires organisations to take a "privacy by design" approach to data protection, building privacy into any new system from the outset. PIAs are an integral component of privacy by design. They help organisations identify how best to comply with their data protection obligations. PIAs are required in situations of high-risk data processing, e.g. where new technology is being used but may be suitable for use more widely.
11. Data protection officers: the GDPR makes it mandatory for certain organisations, such as public authorities or bodies that regularly and systematically monitor data subjects on a large scale, to designate a data protection officer (DPO). For other organisations, it may still be prudent to appoint a specific individual charged with overseeing data protection compliance.
12. International: multinational organisations should identify their main place of establishment in order to determine which data protection authority they come under. This will have a bearing on where cross-jurisdictional complaints are investigated. Where a main establishment is hard to identify, assess where your organisation makes most of its data processing decisions.

See here for the ICO's detailed checklist.

Given the wide-reaching obligations under the new legislation and the significant sanctions for non-compliance, we urge you to address these issues as soon as possible.