The GDPR: What? Why? When?
Key changes
Increases to maximum fines - up to €20million or 4% of worldwide turnover (whichever is higher)
Consents will need to be opt-in (old consents, e.g. pre-ticked boxes, opt-outs won’t be valid)
Extensive contract requirements which must be met when suppliers or contractors process personal data
Compulsory reporting of data breaches and strict time limits for doing soIn some cases, a duty to appoint a data protection officer
New data subject rights, and changes to the rules for dealing with subject access requests
Data processors being directly liable for breaches of the law
Strict requirements for privacy policies and notices requirement to carry out privacy impact assessments in some situations
Structuring your compliance project1. Customer data and marketing
Whether you deal with individual consumers or business customers, your organisation processes personal data. To do so lawfully, you will need a GDPR compliant privacy policy. Transparency is a fundamental part of the GDPR, and every organisation requires an effective privacy policy. If you are marketing, you will probably need to revisit contacts to get opt-in consent. You also need to be aware of marketing under the GDPR (and the PECR marketing rules).
2. Staff data Employee personal data is dealt with very differently to customer personal data. Organisations typically process personal data (some of it sensitive) about staff for variety of compliance and contractual reasons, and may engage in activities like monitoring.
For such activities to be lawful, there must be a staff handbook or privacy policy which meets the GDPR’s requirements. Forms asking employees, agents and job applicants for data may also need to be revised to refer to the privacy policy.
3. Contracts You will probably need to update the data protection contract clauses in your standard terms, employment contracts, subcontractor agreements etc. These clauses tend to be stand-alone and can usually be dealt with quickly and cost-effectively. Keep in mind that contracts entered into now, which are still effective next May, should be GDPR compliant.
Your organisation will also need a data processing contract for when you engage others to process data on your behalf (e.g. your payroll provider).
If your services involve personal data processing, your customers will increasingly insist on having a GDPR compliant contract in place. Equally you should have your own (pro-supplier) processing terms. If you can’t offer these, you may have to sign up to the customer’s terms, which are likely to be more onerous and include warranties and indemnities etc.
Lastly, you’ll probably need a data sharing contract for when you share data with other controllers (e.g. pension providers).
4. Security, risk management and operations The GDPR’s security requirements can be onerous. You need to ensure your supply chain is secure, and in case the worst should happen, have in place a data security incident management policy.
You may also need to appoint a data protection officer, and be aware of how to carry out privacy impact assessments.
Another consideration is data cleansing, storage and retention periods
Everything else. When should you begin?How can we help?
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.