It is estimated 70% of businesses are not GDPR-ready, but there is still time before it comes into force, writes John Fuller of J.W. O’Donovan Solicitors.
With less than ten weeks to go before the new General Data Protection Regulation (GDPR) comes into force on the 25 May, some businesses are facing the seemingly overwhelming task of getting their systems, processes and staff ‘GDPR-ready’. That said, even if you are only now beginning to consider the impact of GDPR on your business, there is still enough time to make substantial progress before the new law comes into force, particularly if a business initiates a properly-resourced project with the aim of delivering GDPR compliance.
The following is a brief outline of the steps which might be followed in such a project.
Step 1: Identify a project leader
As with any project, it is important that someone takes ownership of the overall project and is responsible for its delivering. While the automatic response might be to choose some from the IT department, you should give due consideration to who would be best placed to determine what is required by the business as a whole. Ideally, the project lead should be someone within senior management who can command the authority and resources necessary to deliver the project.
Step 2: Form the project team and map out a project plan
Once appointed, the project lead should form a project team drawing from each relevant sector of the business (IT, marketing, HR, etc.). A project plan should then be developed with deliverables allocated to each member and timeline for delivery put in place. All relevant departments should be made aware that the members of the project team must be afforded sufficient time to deliver on their responsibilities. The project should be seen as having equal status with any other project to be delivered by the business – if team members are expected to work on it only in their downtime, between other tasks, then deadlines will not be met.
Step 3: Identify the personal data used by the business
One of the first tasks to be undertaken by the project team is a review of the data held by the business to determine:
- What data is held
- How it is collected
- Why it is collected and how it is used
- How it is stored
- For how long it is retained
Each team member should carry out the above analysis for their own sector of the business.
Step 4: Analyse the data use in the context of key principles introduced by GDPR
GDPR sets out seven principles governing the processing of personal data as follows:
- Personal data must be processed lawfully, fairly and in a transparent manner.
- Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
- Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
- Personal data should be kept in an identifiable format for no longer than is necessary.
- Personal data should be kept secure using ‘appropriate technical and organisational measures’.
- Organisations must not only comply with the above six general principles but must be able to demonstrate that they comply by documenting and keeping records of all decisions.
Having identified the data held and its purpose, an analysis should be carried out to determine if the business complies with the first six principles listed above in its processing of personal data. Particular attention should be given to identifying the grounds for lawful processing of data as required by the first principle.
The grounds for lawful processing that will most commonly be relied upon by private businesses are the consent of the data subject, the performance of a contract with the data subject and the legitimate interests of the business. Each ground has specific criteria which must be met before it can be relied upon and great care should be taken to ensure those criteria are met.
For example, under GDPR if you are relying on the consent of the data subject, the consent must be “freely given, informed and unambiguous” and the data subject must have taken a positive step to indicate his or her consent (so pre-ticked boxes or opt-out mechanisms cannot be relied upon).
Step 5: Develop resources required for compliance
Some of the resources that are likely to be required include:
- A personal data policy
- An updated privacy notice
- Policies for responding to subject access requests and dealing with data breaches
- Updated consents from clients to the use of their personal data (where the consent currently relied upon does not meet the standard required by GDPR)
- Notices issued to third-party data processors requesting confirmation that they are compliant with GDPR in processing data on behalf of the business
- A template for conducting Data Impact Assessments
- Revised technical measures (firewalls, anonymisation of data)
Step 6: Implement the new regime and maintain compliance
Consideration should be given to the manner in which new policies and processes should be communicated to clients – GDPR can provide an opportunity to engage with clients and reassure them that their personal data is treated with an appropriate level of sensitivity. Staff should be trained so that they are aware of new policies and will act appropriately if a subject access request is received or a data breach occurs.
A business may appoint a Data Protection Officer (DPO) whose role is to monitor the business’ compliance with GDPR and advise the business on same. A business may be obliged to appoint a DPO in certain circumstances, depending on the nature of the data processing undertaken.
Where a business wishes to introduce a process for processing personal data which involves new technologies, and which the processing is likely to result in a high risk to the rights and freedoms of individuals (for example, where a large amount of data will be processed), a Data Protection Impact Assessment must be conducted. This will be broadly on the terms set out above at step 4.
Step 7: Document compliance
As noted above, the seventh principle of GDPR is the obligation to demonstrate compliance. Accordingly, records should be kept of each of the above steps and procedures should be put in place to review compliance periodically (with such reviews also being documented).
Remember to take a risk-based approach
GDPR embraces a ‘risk-based’ approach to data protection, that is the obligations imposed on businesses are commensurate to the level of risk to the data subject that will result from the business processing their data.
Accordingly, businesses should focus on identifying the areas of greatest risk and should concentrate initially on implementing the appropriate measures required. If this is done, the level of exposure under GDPR can be reduced significantly before the new law comes into force.
John Fuller is a solicitor with J.W. O’Donovan Solicitors in Cork. He specialises in corporate and commercial law, with a particular interest in data protection.