With the date of 25 May 2018 now passed, any organisation that handles personal data will need to give urgent consideration, if it has not already done so, to the steps it needs to take to become compliant with the General Data Protection Regulation (GDPR).
What then should such an organisation be doing?
1. Evaluate and Assess
The first step is to evaluate what personal data the organisation holds, and where, how, why and for how long. Does the organisation share such data with third parties? This audit will help inform the next steps that the organisation will need to take.
Note that personal data can be stored in many different ways. Organisations may find the questionnaires available on the thinkgdpr.org website helpful. Such data will also include data relating to employees.
2. Process According to GDPR Principles
An organisation must process personal data in compliance with the principles of GDPR, such as having a lawful basis for processing that data and only to the extent it is adequate, relevant and limited to what is necessary.
The legal basis on which all personal data is held will need to be reviewed and documented, and processes will need to be introduced to ensure compliance with those principles. For example, for clients of professional services firms, it may well be that processing is necessary for the performance of a contract and for the organisation to comply with the law (for example regulatory obligations). However, that is not always the case and, in any event, further thought should be given as to where personal data may be used for other purposes, such as marketing.
3. Third Party Sharing
Where personal data is shared with third parties, for example in an outsourcing arrangement, again, details of how, where and for how long they store such data must be obtained, and contracts will need to be reviewed to ensure they are GDPR-compliant. It is important to bear in mind that those third parties may include an organisation’s bank or even the company that is responsible for collecting its shredding bins!
4. Inform Data Subjects
Data subjects must be informed about how their personal data is stored and used. This includes, but may not be limited to:
- The legal basis on which someone’s data is processed.
- How long it will be kept.
- Details of any third-party recipients and countries it is transferred to.
- The recording of consent (if appropriate) and the rights afforded by GDPR.
5. Policies and Procedures
Various policies and procedures must be put in place or amended. For example, they will need to address:
- How an organisation will handle a request by someone asking to exercise the rights they have under GDPR. This might be to have their personal data deleted, or if somebody makes a subject access request. Note that an organisation will have one month to comply with a subject access request.
- How an organisation should respond if there is a data breach. Note that a data breach will need to be reported to the Office of the Data Protection Commissioner (DPC) in Guernsey within 72 hours.
6. Data Protection Responsibility
Thought will need to be given as to who will be responsible for data protection in the organisation. In some cases, such as where large-scale processing of special categories of data is carried out, it is a requirement that a Data Protection Officer (DPO) is appointed who will, amongst other things, be responsible for monitoring the organisation’s compliance with GDPR. Even if a DPO is not appointed, someone at board level should be tasked with that responsibility, and for updating the board about data protection in general.
7. Staff Training
In any event, regardless of whether an organisation is obliged to appoint a DPO, it must ensure that it has sufficient skills and staff to discharge its obligations under GDPR. Linked to that, it is vital that staff have sufficient training so that they are aware of and understand those obligations and what they are required to do by reference to an organisation’s policies and procedures.
8. Data Protection Impact Assessment
An organisation may need to carry out a data protection impact assessment (DPIA) if and when a new data processing system or technology is introduced. A DPIA helps organisations identify, assess and mitigate or minimise privacy risks with such activities.
9. Office & IT Security
From a practical point of view, an organisation should review its office and IT security, with a view to taking all the steps that it can to improve that security to minimise the risk of a data breach.
Further guidance on the various aspects of GDPR is anticipated to be issued by the DPC shortly.
Here to Help
Although ensuring compliance with GDPR may seem daunting, even for a small organisation, it is likely to mean a significant shift in the way we all think about and handle personal data. That shift will doubtless present both challenges and opportunities but, in short, embracing data protection as a fundamental part of an organisation’s culture is bound, in the long run, to pay dividends.
Ferbrache & Farrell LLP can help an organisation on its journey to becoming GDPR compliant by advising on the legal issues that it may need to address, and by reviewing existing contracts, policies and procedures and drafting any other related documents that may be required.