The new General Data Protection Regulation (the ‘GDPR’) takes effect on 25 May 2018. Its purpose is to strengthen the protection of data held for individuals and to enhance privacy. For your business, this means ensuring that you are compliant in advance of 25 May 2018 to avoid paying hefty fines for non-compliance with these new rules.
However, the GDPR is not too dissimilar to the Data Protection Act 1998 as it applies to ‘Data Controllers’ who say how and why personal data is processed and to ‘Data Processors’ who process personal data on behalf of the Data Controller. Processing data means obtaining, recording or holding the information or data, including organising, adapting, retrieving, disclosing, erasing and disseminating data. The GDPR places specific legal obligations on Data Processors and Data Controllers and there is now a greater legal liability for breaching the rules.
There are 5 steps to take to avoid paying fines for non-compliance.
It is important to understand how the GDPR applies to your organisation. Under the GDPR, personal data includes online identifiers and location data, which would include IP addresses and mobile device ID’s as personal data. The GDPR also introduces the concept of pseudonymous data, which is personal data that has been subjected to technological measures like hashing or encryption such that it no longer identifies an individual without the use of additional information. While pseudonymous data is still considered to be a type of personal data, organisations that pseudonymize their data will benefit from relaxations of certain provisions of the GDPR, which could particularly limit a business’s liability under the GDPR rules.
2. Put someone in charge
Businesses impacted by the GDPR will need to appoint a Data Protection Officer who will be responsible for defining procedures for the business to ensure compliance. This person will need to also train employees, directors and contractors in the business about compliance procedures and is the point of contact for complaints or reporting a breach.
3. Check your procedure (both internal and external)
The GDPR requires documented procedures for many things, including defining the legal basis for using the data that your business acquires; delivering privacy notices; acquiring explicit consent from people when required (including online consents – so check your website consents); managing access to data by users; handling request by customers and training employees in data handling. It would be useful to develop a guidebook of procedures for your business.
4. Meet technical requirements
The GDPR has some explicit requirements, such as responding to customer complaints within 30 days, sharing or erasing customer data on request, keeping records of who sees which data and reporting any breach within 72 hours. It will also be important to classify data, focus on encryption and centralize customer data management using secure software and applications. Your business should first undertake a detailed technical assessment to understand what you currently have in place. It is also important to ensure that your supplier level agreements and contracts comply with the GDPR rules when contracting with another business or consumer.
5. Define a governance structure
While best practices will no doubt evolve, your business should have a governance structure in mind to ensure that your processes keep up with any GDPR changes. One key aspect of this structure is to have a Privacy Impact Assessment, which would assess the risk of any proposed data us and balance that risk against the business value.
In consideration of rapidly developing technology, the GDPR affords greater protection for individuals. However, digital and advertising agencies will be largely affected as they rely heavily on both pseudonymous online identifiers such as cookies and customer data for targeted marketing campaigns.
Please contact Kishan Bhatt to help you navigate through the complexities of the GDPR and to ensure your contracts are up-to-date with the new GDPR regime. We can also help put together a compliance guide for your business.