On 25 May 2018 the General Data Protection Regulation (GDPR) came into effect, and was heralded as the EU’s biggest shake up of data protection regulation to date.
In the run up to ‘GDPR-Day’ we were inundated with emails from businesses asking us if we wanted to “stay in touch” and asking us to re-consent to email marketing. Businesses scrambled to put in place GDPR compliant privacy policies by the 25 May deadline, with the threat of fines at a maximum of €20 million or 4% of annual global turnover on the horizon.
However, the reality is that many organisations had not completed their GDPR preparations by that date, and with the perceived grace period for implementation over the last year, many companies are still behind.
This week, over a year after the GDPR came into force, we saw the ICO issue its first public fine, hitting British Airways with a huge £183m fine (although still some way under the maximum 4% of annual global turnover that could have been issued). Before this, fines under the GDPR had been limited. Over the past year there had been €56 million in fines issued against errant organisations, of which €50 million was issued against Google by the French data protection office and the balance split between much smaller fines throughout the EU.
Notwithstanding, what is obvious is that individuals are more conscious than ever about what data they share, who they share it with, and what those organisations then do with it.
The GDPR is intended to be an exercise of ongoing compliance, rather than a tick-box-exercise. Our top tips for achieving ongoing GDPR compliance are below:
- Policies and Procedures
As a bare minimum, organisations should make sure that they have in place GDPR compliant privacy policies and cookie policies, and have systems and procedures in place to record their processing activities (including processing purposes, data sharing and retention).
If you are carrying out processing that is likely to result in a high risk to individuals, you must ensure that you carry out Data Protection Impact Assessments (“DPIA”).
This is not the end of the exercise, however, with the ICO stating in their annual review earlier this year that one of their focuses for 2019 is ensuring that organisations move beyond ‘bare compliance’.
- Register with the ICO and pay the relevant fee
This requirement is easy to satisfy. Any organisation that is a data controller needs to register with the ICO and make payment of the annual data protection fee. This is one area where the ICO has been cracking down on both larger and smaller companies, and imposing significant fines for non-payment.
- 3rd Party Contracts
The GDPR requires organisations (data controllers) to enter into written contracts containing specific provisions with any 3rd party that processes personal data on its behalf (data processors).
This is one area where we often see organisations falling behind, and particularly where personal data is transferred outside of the EU. Having in place a standard set of contractual provisions which can be included in any terms of service or supplier agreement can be simple way of ensuring that this element of compliance is dealt with.
- Data Subject Access Requests
Does your organisation know how to handle a Data Subject Access Request (“DSAR”)? Over the past year we have seen an increase of DSARs, and in particular those issued by employment lawyers or litigators looking to secure a tactical advantage. Individuals do, however, have a right to access their personal data, and organisations need to know how to respond to these in an effective and efficient manner to avoid expending unnecessary time and resources or a breach of the individual’s rights.
- Ongoing training
Many organisations will have carried out some element of training in the run up to the GDPR deadline last year, but it is always sensible to ensure that staff are kept up to date. Organisations should consider running regular refresher training, particularly for staff who handle large amounts of personal data including HR and marketing. This is key for understanding what to do in the event of a breach, upon receipt of a DSAR, and when to carry out a DPIA.
- Appoint a Data Protection Officer (if necessary)
The GDPR makes it a legal requirement to appoint a Data Protection Officer (“DPO”) if (a) you are a public authority or body, (b) your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking), and (c) your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
Organisations can also choose to voluntarily appoint a DPO.
The DPO can be an existing member of staff, or externally appointed.
- Work towards “data protection by design and default”
This means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from design right through the lifecycle. Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help organisations to ensure that they comply with the GDPR’s fundamental principles and requirements, and forms part of the GDPR’s focus on accountability.
For more information please contact corporate/commercial team.