Companies need to look past the endless emails to ensure they are taking the necessary steps to comply with the new rules.
By now you’ll be extremely bored of those emails popping up in your inbox and telling you that even your clients are about to stop talking to you.
It’s all a load of GDPR.
If you’re wondering whether your business is GDPR-compliant, here are five essential considerations that will assist with ensuring you adhere to the new regulations.
1) Lawful basis for processing data
You must have a lawful basis for processing personal data under the GDPR. There are six available bases that broadly replicate those under the previous regime.
Most lawful bases require that your processing is ‘necessary’. If you can reasonably achieve the purpose without processing, you will not be able to rely on the lawful basis.
One such lawful basis for data processing is consent. Consent must be freely given, specific, informed and unambiguous. Unlike the current regime, consent cannot be inferred from silence, or pre-ticked boxes – there must be a positive opt-in. Consent must be provided separately from your other terms and conditions, and you must provide a simple way of withdrawing consent. Hence all the emails.
2) Review agreements with third parties
Unlike the previous data protection regime where only data controllers have compliance obligations, the GDPR imposes direct obligations on data processors.
It will also impose specific requirements on data controllers as to what to include in their data processing agreements with data processors. There are no exemptions for agreements already in place, so you will need to update your data processing agreements.
3) Data protection by design
The GDPR explicitly recognises the concepts of “privacy by design” and “privacy by default”. To comply, businesses will now have to consider data protection and privacy at the design stages of a project, and implement organisational and technical measures to ensure data protection rights are safeguarded throughout.
It is important that businesses integrate data protection into their business processes, and when new processes are being considered, data protection is added to the agenda.
4) Awareness and training
One of the simplest steps you can take to ensure business is compliant with the GDPR is to raise awareness among staff.
The data protection policy and procedure will need to be updated and you will need to ensure this is effectively implemented by your workforce. Training sessions and staff awareness will generally assist with this task.
5) Data breaches
For the first time there is an obligation on all organisations to report certain types of data breaches to the relevant supervisory authority.
You should make sure you have the right detection, investigation and internal reporting procedures in place, as you are required to report a breach to the Information Commissioner’s Office within 72 hours of becoming aware of it. If the breach is likely to affect the rights and freedoms of the individual, you are also required to inform those individuals without undue delay.
Failure to report a breach may result in a fine, in addition to the fine for the breach itself.
You are also required to keep a record of your data breaches, regardless of whether you have an obligation to report to the ICO.
Consideration of the above five points will assist with ensuring that your business is GDPR-compliant.
However, if you would like to ensure complete compliance with the GDPR you should, if you have not already done so, conduct a full review of the data protection and privacy policies at your business.
The consequences of not doing so may be severe.
Ciaran Noonan is an associate at Goodman Derrick