GDPR: What organisations need to think about now
With only seven months to go, Laura Irvine, Partner at BTO Solicitors LLP, and Fraser Nicol, Partner at Scott-Moncrieff, look at what cultural organisations need to do now to ensure compliance with the General Date Protection Regulation by May 2018.
The General Data Protection Regulation (GDPR) will have direct effect throughout the European Union from 25 May 2018. The UK will still be an EU member at that time. The Government has confirmed that UK organisations will need to comply and has published the Data Protection Bill, which includes some specific UK provisions and some additional detail. However this is still in draft form.
There is also another regulation from the EU which will impact on digital marketing. The draft ePrivacy Regulation was expected to come into force at the same time as the GDPR – but this is looking unlikely. Post-Brexit there are unlikely to be many changes as the GDPR applies to anyone processing the personal data of those in the EU and therefore in order to continue to do business with Europe the standards will have to remain the same.
Adhering to GDPR will bring significant benefits. Understanding what data you hold, and why you hold it will actually significantly enhance your organisation’s ability to use it effectively. Effective Data Management can enable the roll out of new business models, support sophisticated customer targeting, reduce the cost of data ownership, reduce the risk of data loss and enhance marketing and customer retention activities.
Moreover, compliance with GDPR will help organisations to build trust with their customers and their business partners. Arguably, the sort of activities required to comply with GDPR are the sorts of things any organisation that wishes to compete effectively in the digital economy should be doing anyway.
What do organisations need to think about now
1. Lawful processing and Consent: it will become much more difficult to obtain valid consent under the GDPR but there are other lawful bases which have been ignored under the DPA. Organisations must identify what lawful basis it is relying on: is it necessary for you to gather the data for the provision of service under a contract; is it necessary for you to share the data because of a legitimate interest you have?
2. Transparency and Fair Processing: any processing must also be done fairly which means telling individuals what you are doing with their data even if you do not require their consent. Under the GDPR you must provide the following information in a Privacy Notice when you collect their information: your identity; the purpose for processing; the legal basis for processing; the categories of personal data concerned; the recipients of personal data if any; and the safeguards in place if data is to be transferred to a country outwith the EU. Other information must also be made available such as how long you will keep the data and a list of the rights each data subject has including the right to complain.
3. Accountability, Recording Data Processing and Data Protection Impact Assessments: you must be able to demonstrate compliance under the GDPR and so you must have documented policies and procedures. If you have over 250 employees or your processing is likely to result in a risk to the privacy rights of individuals then you must maintain a record of processing. In certain circumstances you must carry out a risk assessment before processing takes place.
4. Digital Marketing: this is mostly based on consent and organisations will not be able to rely on consent if it is not GDPR compliant from 25 May 2018. Databases may have to be refreshed and the work required to do this should be started now. There are different rules in relation to existing customers.
5. Data Protection Officer: certain organisations will require to have a DPO to advice on GDPR compliance. This individual cannot be someone who makes decisions about data processing but should have access to the Board. The responsibility remains with the data controller; the organisation in control of the data. If you are a public authority; if your core activity is processing large amounts of sensitive personal data or if your core activity involves systematic monitoring then you must have a DPO.
6. Data Subject’s Rights: there are some enhanced and some new rights and organisations must have a system in place to deal with them. The timescales are tight for compliance: all must be complied with in 30 days. In certain circumstances there is a right to be forgotten; a right to restrict processing and a right to object to processing. There are new rights concerning automated decision making and a right to move your data from one provider to another – data portability.
7. Children: if you are processing the data of children online you must decide whether you need to have a system in place to confirm their age and to obtain parental /guardian consent. A child is defined in the draft UK DP Bill as under 13. Privacy notices must also be adapted for children.
8. Data Controllers and Data Processors: both now have obligations to comply with the law and both can be investigated and fined. Any contract a data controller has with a processor must contain certain terms set out in the Regulation to ensure compliance, to provide the controller with assistance and to ensure that the Data Controller is aware of any sub-contractors.
9. Personal Data Breaches: data breaches must be reported to the ICO if there is likely to be a risk to the privacy rights of an individual within 72 hours of being discovered. If there a high risk to the privacy rights of individuals then they must also be notified without undue delay.
10. ICO Powers: the ICO will have the power to impose significantly increased levels of fines up to a maximum of €20 million or 4% of global turnover, whichever is higher for processing breaches and €10 million or 2% global turnover for the more administrative breaches.
BTO Solicitors LLP has its own GDPR Website which is updated from time to time and can assist with any data protection queries you may have. Scott-Moncrieff also regularly share updates on the legislation via their website.View all news