Taking a proactive and forward-looking approach to GDPR will reap the benefits.
GDPR implementation will require a comprehensive plan to ensure that the impact the regulation has on a firm is fully assessed, understood and mitigated. With the regulation becoming effective in less than a year (on 25 May 2018), firms need to start the compliance implementation process as soon as possible. It is important to recall that a lack of compliance with the GDPR can expose firms to significantly tougher fines than the current fines imposed for breach of the Data Protection Act.
The following are some key points to consider when planning for GDPR:
Board level buy-in All firms should make key decision makers and executives aware of the new Regulation and its potential impact. From there, decisions can be made by the firm to move forward with confirming or implementing controls and procedures related to compliance with GDPR.
This may include determining and documenting whether it is mandatory for the firm to appoint a Data Protection Officer (DPO). If the firm determines a DPO not to be mandatory, the firm may want to consider voluntarily appointing a DPO. Alternatively the firm may assign a designated person responsibility for data protection compliance and deciding where they will sit in the firm’s structure.
The firm should consider whether to conduct Data Protection Impact Assessments (DPIA), effectively a data protection risk assessment. DPIAs are mandatory where the envisaged processing activity is likely to result in a high risk to the rights and freedoms of natural persons, and they must be completed prior to carrying out the processing activity. The DPIA process is also recommended by the ICO to all firms handling data and can help in the early identification of problems potentially reducing the risks of fines being imposed, the risk of damage to reputation, and costs that may be associated with remedying a breach of the GDPR.
Information analysis Firms should consider conducting an information audit to establish what personal data it holds, what it is used for, where it came from, who it is shared with, and how it is stored and transferred. This may help determine whether the firm is a controller, processor or both and what contracts are or should be in place, including what changes need to be made to existing contracts. Furthermore, reviewing existing data-related policies and other documents is important. This includes the process of identifying and documenting the changes which need to be made to existing policies and documents. This will help towards the path of complying with the obligations set out in the GDPR.
Individuals’ rights The firm’s policies and procedures should be checked to ensure that all individuals’ rights are covered, such as ‘right to be forgotten’ and ‘right to erasure’ and that individuals' data can be provided to them in a commonly used format. This should be reviewed across all data collection formats such as the internet, call centres and paper. Similarly, how consent to collect is sought, obtained and recorded should also be reviewed and necessary changes made. Data subject access requests should also be considered with respect to the new timetables and how additional information will be provided.
Communication and data breaches Privacy policies, procedures and documentation should be reviewed and updated to ensure they are GDPR compliant. Data breach detection, reporting and investigation should also be planned for and thoroughly tested, with robust incident management processes in place.
As outlined above, there is much work for firms to do prior to the commencement of the GDPR. This regulation will elevate data processes and protection to board level for on-going attention and review, with high penalties for those who fail to prepare and comply. With data becoming ever more important to businesses and companies, the issue of protecting it is only going to increase, meaning those who take a proactive and forward-looking approach will reap the benefits.
Data security remains an important aspect under this regulation. We specialise in a range of services including data breach response, information security and reputational harm recovery. To find out more: www.locktoninternational.com.
Please note that the purpose of this article is to provide a summary of and our thoughts on aspects of the General Data Protection Regulation. It does not contain a full analysis of the law nor does it constitute a legal opinion or advice by Lockton Companies LLP on the law discussed. The contents of this article should not be relied upon and you must take specific legal advice on any matter that relates to this. Lockton Companies LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of the material contained in this article. No part of this article may be used, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, reading or otherwise without the prior permission of Lockton Companies LLP.
Find out more – listen to ACCA's on demand GDPR webinar ACCA recently hosted a webinar providing an overview of the demands of GDPR. You can access this by registering here and watching this webinar when convenient. Feedback from this webinar is being used to build a series of sector-specific webinars on the GDPR. Once this series of follow-up webinars had been developed, its availability will be promoted to all members.