Getting ready for the GDPR

The GDPR: What? Why? When?

The General Data Protection Regulation (or GDPR) is an EU law intended to protect the personal data of individuals. It does so by imposing strict rules on how personal data is handled and secured, and provides people with rights that will keep them in control of their data.

From 25 May 2018 the GDPR will replace the UK’s existing data protection regime. It will have worldwide effect and Brexit won’t stop it. It is onerous and, for many organisations, will be their most significant compliance obligation. Failing to prepare for the GDPR could result in large fines, reputational damage, civil claims from individuals, and breaches of contract.

Key changes

The following are a few of the important changes that will have effect from May 2018:

• Increases to maximum fines – up to €20million or 4% of worldwide turnover (whichever is higher)
• Consents will need to be opt-in (old consents, e.g. pre-ticked boxes, opt-outs won’t be valid)
• Extensive contract requirements which must be met when suppliers or contractors process personal data
• Compulsory reporting of data breaches and strict time limits for doing so
• In some cases, a duty to appoint a data protection officer
• New data subject rights, and changes to the rules for dealing with subject access requests
• Data processors being directly liable for breaches of the law
• Strict requirements for privacy policies and notices
• requirement to carry out privacy impact assessments in some situations

Burdensome though it may seem, the GDPR is also an opportunity to build trust with customers, implement robust information security measures, and improve your organisation’s brand and reputation. Being GDPR compliant is also an asset when marketing your organisation, and can distinguish it from competitors.

Structuring your compliance project

Most compliance projects focus on four key areas:

1. Customer data and marketing

Whether you deal with individual consumers or business customers, your organisation processes personal data. To do so lawfully, you will need a GDPR compliant privacy policy. Transparency is a fundamental part of the GDPR, and every organisation requires an effective privacy policy. If you are marketing, you will probably need to revisit contacts to get opt-in consent. You also need to be aware of marketing under the GDPR (and the PECR marketing rules).

2. Staff data

Employee personal data is dealt with very differently to customer personal data. Organisations typically process personal data (some of it sensitive) about staff for variety of compliance and contractual reasons, and may engage in activities like monitoring.

For such activities to be lawful, there must be a staff handbook or privacy policy which meets the GDPR’s requirements. Forms asking employees, agents and job applicants for data may also need to be revised to refer to the privacy policy.

3. Contracts

You will probably need to update the data protection contract clauses in your standard terms, employment contracts, subcontractor agreements etc. These clauses tend to be stand-alone and can usually be dealt with quickly and cost-effectively. Keep in mind that contracts entered into now, which are still effective next May, should be GDPR compliant.

Your organisation will also need a data processing contract for when you engage others to process data on your behalf (e.g. your payroll provider).

If your services involve personal data processing, your customers will increasingly insist on having a GDPR compliant contract in place. Equally you should have your own (pro-supplier) processing terms. If you can’t offer these, you may have to sign up to the customer’s terms, which are likely to be more onerous and include warranties and indemnities etc.

Lastly, you’ll probably need a data sharing contract for when you share data with other controllers (e.g. pension providers).

4. Security, risk management and operations

The GDPR’s security requirements can be onerous. You need to ensure your supply chain is secure, and in case the worst should happen, have in place a data security incident management policy.

You may also need to appoint a data protection officer, and be aware of how to carry out privacy impact assessments.

Another consideration is data cleansing, storage and retention periods.

Everything else

There are other areas which may need to be addressed (such as international transfers and data transfer contracts), depending on how your organisation uses data.

You’ll also have to update your subject access request templates and put in place procedures to deal with new data subject rights.

When should you begin?

The GDPR became law in May 2016, but it was agreed there would be a two-year transition period before it comes into effect (on 25 May 2018) so that organisations can ensure they are compliant. Businesses which market to consumers must act immediately, as they will need time to run opt-in marketing campaigns (which must be done carefully, as businesses have been fined for breaching the existing marketing laws when seeking GDPR opt-in consent).

Businesses are likely start to seeing their customers ask about the GDPR. Being compliant will be asset when marketing your services, and help differentiate you from competitors.

How can we help?

Our experts are working with a wide range of businesses on their GDPR compliance and have developed a step-by-step process to help get you on track when it comes to compliance. We have developed standard template documents, as well as producing bespoke contracts and policies, and we can help you identify and map how the organisation uses personal data, and put in place a GDPR compliance plan which is right for your business. To help you manage costs, we work on a fixed fee basis.

---

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.