General Data Protection Regulation Countdown – 6 months to go
With 6 months to go until the GDPR takes effect, organisations should now be well on with their GDPR preparations.
In our earlier update (GDPR Countdown - 9 months to go), we recommended that organisations conduct an audit to identify what personal data they hold, why it is held and what the current legal basis is for processing the personal data.
Once the above step has been completed, organisations should be turning their focus to ensuring that their policies and procedures comply with the GDPR. As a priority, organisations should, where consent is used as the lawful basis for processing personal data, review their consent mechanisms to establish whether they meet the new stricter requirements of the GDPR. If the consent the organisation has obtained does not meet the stricter GDPR requirements then it will not be valid consent once the GDPR takes effect and steps should be taken now to obtain consent which does meet those requirements (or identify an alternative ground for processing).
Organisations should also review any circumstances where a third party is engaged to process personal data on their behalf and ensure that there is an appropriate agreement in place which satisfies the GDPR requirements. This may mean having to enter into new agreements or negotiating amendments to existing agreements with the relevant processors.
As the above steps are likely to take time to progress, organisations should be looking at tackling these issues sooner rather than later to ensure that they are compliant with the GDPR before it takes effect on 25 May 2018.
Data Protection in the News
Uber seems to be dealing with a revolving door of crises at the moment - as soon as one disappears another one emerges.
It has recently been reported that hackers managed to access 57 million names, email addresses and mobile phone numbers held by Uber. It is understood that Uber paid the hackers $100,000 to delete the data in an attempt to conceal the data breach.
The ICO has confirmed that it is currently investigating the breach. It is likely that the ICO will take a hard line with Uber given the amount of personal data involved and the fact that Uber allegedly attempted to conceal the breach from the regulators. Could we see the first £500,000 fine under the Data Protection Act 1998 just before it is replaced? Time will tell…
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.