General Data Protection Regulation Countdown – 3 months to go
With three months to go until the GDPR takes effect, organisations should be well on their way towards GDPR compliance.
To recap, in our previous GDPR Countdown updates we recommended that organisations conduct an audit to identify what personal data they hold, why it is held and what the current legal basis is for processing the personal data. We then recommended that organisations consider the mechanisms they have adopted for obtaining consent where consent is the legal basis for processing, review what agreements they have in place with any third party processors and ensure that steps are taken to update those mechanisms and agreements before the GDPR takes effect.
If your organisation has not yet done all of the above then beware - the clock is ticking and some of these tasks can be a drain on time and resources. It is better to take action sooner rather than later to avoid a deadline day panic.
If your organisation has achieved the above then that suggests positive progress, but unfortunately it's not time to sit down and relax just yet.
One of the key elements of the GDPR is the accountability principle, which essentially means that organisations are required to have in place comprehensive governance measures to demonstrate how they comply with the data protection principles. So it's time to take your organisation's data protection policies and procedures out of the drawer, dust them off, and update them to ensure that they adequately address how your organisation processes personal data.
That's step one when it comes to policies.
Step two is ensuring that all staff are made aware of your organisation's updated policies and receive adequate training in data protection. One of the biggest risks your organisation has of suffering a data breach is through your staff, and this is often due to a lack of understanding of what they can (or more importantly) cannot do with personal data rather than as a result of malicious intent. Training is therefore essential to try to mitigate this risk. Once staff have been trained, ensure that your organisation maintains records of the training and schedules in further training for the future. If something does go wrong you want to be able to demonstrate that you did everything you could to avoid it.
Organisations also have to be transparent and provide accessible information to individuals about how they will use individuals' personal data. This is often achieved using a privacy notice, for example, on a website or on an application form. The information which has to be provided to individuals under the GDPR is more expansive than under the current Data Protection Act 1998. Organisations should therefore: (i) identify from where they are collecting personal data; (ii) review what privacy information they are providing to the individual at that point; and (iii) where necessary update the privacy information to ensure compliance with the GDPR.
If you would like to discuss how we could assist your organisation, please contact David White or any member of the Commercial and IP Team.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.