The General Data Protection Regulation (GDPR) will introduce tougher rules on processing personal data, and place businesses under a raft of new duties, including obligations to carry out data protection impact assessments, maintain records of the steps they take towards compliance, and report major data breaches.
Fines for non-compliance, of potentially up to 4% of annual global turnover, are far more penal than under the current regime. So, with the GDPR set to apply from 25 May 2018, now is the time for businesses to ramp up their preparations for the reforms.
Conduct a data protection audit
Given the volume of changes the GDPR is bringing, organisations should already have begun preparing for the GDPR. However, if they have not done so they do not need to panic. They can begin the process by carrying out a data protection audit.
A data protection audit will help organisations identify the specific steps they need to take to prepare properly for the GDPR.
An audit can help identify any weaknesses in the organisational or technical measures organisations currently deploy which relate to their handling of personal data, and align them towards the particular requirements of the GDPR.
The audit can help organisations understand what data they hold and where it is held. Knowing what type of information is held, specifically whether it constitutes personal data, and if so, whether it is particularly sensitive personal information, can help businesses manage that data properly. Businesses that know where their personal data is stored around the world will also be better placed to comply with the GDPR's rules on the international transfer of such data.
The process can also involve a review of existing data processing contracts with third parties to ensure they are fit for the GDPR-age.
Starting or retaining an audit trail of data protection compliance measures
A new 'accountability' principle will apply under the GDPR. It means data controllers will be held responsible for, and must demonstrate compliance with, the principles that govern the processing of personal data under the new Regulation.
Those principles require, among other things, that personal data is processed lawfully, fairly and in a transparent manner, and is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Article 30 of the GDPR sets out record keeping duties that data controllers must abide by to meet their accountability obligations and demonstrate compliance.
Specifically, data controllers must "maintain a record of processing activities under its responsibility", including details of the purposes of the processing, what type of personal data about what type of people they are processing, and the type of third party organisations they have or will disclose the personal data to, as well as the "suitable safeguards" they have implemented if they have transferred the data to an organisation based outside of the European Economic Area (EEA). In addition, the data controllers must, where possible, document, in general terms, the "technical and organisational security measures" they have deployed to address risks to data security.
Where data processing activities have been outsourced by data controllers, data processors must also maintain a record of all the types of processing activities they have been engaged to carry out.
The records that businesses must keep under the GDPR must be made available, on demand, to data protection authorities.
The record keeping duties will generally not apply to organisations with fewer than 250 employees, although there are some exceptions to this.
The legal duty to maintain the records will not apply until 25 May 2018, but it would be good practice for organisations to get into the habit as soon as possible before then, if they do not already document their steps towards compliance.
Implement and test incident response plans
Businesses active in some sectors of the economy, such as banks and telecoms providers, are already under a duty to disclose major data breaches they experience. However, a more general data breach notification regime will apply to all companies under the GDPR.
Under GDPR, data controllers will have 72 hours, where feasible, to report personal data breaches to data protection authorities "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
Personal data breaches will have to be reported to the individuals affected "without undue delay" where the breach is "likely to result in a high risk to the[ir] rights and freedoms".
In an environment where cyber risk and the likelihood of a breach is growing, organisations need an incident response plan to not only manage their new legal obligations to report data breaches under the GDPR, but also to address the potential reputational damage they could suffer if they manage those incidents poorly.
Have a regular system of review and updating
It is clear that, with the ever changing dynamic within a business – new staff, processes, technologies, in complying with the 'technical and organisational' measures principle, businesses cannot be complacent and think that compliance is a 'tick box' exercise.
Unless its organisational and technical measures address the risks of the business as it changes, businesses could find themselves at substantial risk. As such, ensuring that a regular review of compliance measures is carried out would be prudent.
Laura Gillespie is an expert in data protection law at Pinsent Masons, the law firm behind Out-Law.com.