There has been a lot of noise in the run up to the 25th of May about what businesses need to be doing under GDPR. Unfortunately, this has led to confusion and, in some cases, misinformation, meaning some organisations might be taking unnecessary steps.
No one organisation is the same, but there are a number of core steps that any organisation that is collecting, storing and using individuals' personal data must put in place to ensure they are compliant with GDPR:
- Information audit: you need to know what personal data you hold and how you use it across the organisation.
- Communicate to your customers, employees and other relevant individuals: you need to be transparent about what you are doing with individuals' personal data, and under GDPR you must give significantly more information than under the previous data protection law. You will need to update your Privacy Policies and also relevant documents such as your Terms of Business and Employment Contracts/Policies.
- Update your policies: you will need to make sure that you are in a position to respect individuals' rights under GDPR and have the systems in place to deal with situations where individuals exercise those rights, e.g., if they ask for access to their personal data or for their data to be erased. For most organisations, this will involve updating or putting in place the following core policies:
- Subject Access Policy (and policies to deal with requests re erasure, rectification and objections)
- Data Retention Policy
- Know how you will deal with a data breach: it is vital that you have processes in place to keep data secure and to detect and deal with a data breach. You should have a Data Security Policy and Data Breach Policy documenting this.
- Understand the rules around consent, particularly in relation to online marketing: this is the main area where there has been significant confusion, with many organisations sending out emails to their database informing them they will be removed from their marketing lists unless they opt in before the 25th of May. In many cases, these emails will be unnecessary, and indeed they may in themselves be the subject of a complaint to the Information Commissioner. We can provide expert guidance on the rules relating to direct marketing and compliance with e-privacy laws, as well as GDPR.
- Contracts with data processors: if you ask another organisation to process data on your behalf, you must make sure you have a contract in place with them which ensures that they will provide sufficient guarantees that they are compliant with GDPR.
Other steps that may be relevant to your organisation
- Keep proper records: a core theme under GDPR is accountability. If you employ 250 or more employees, you must keep proper records of your processing activities in relation to personal data. You may also be required to do this if you have fewer than 250 employees but this will depend upon the nature of your organisation.
- Prepare Data Protection Impact Assessments (DPIAs): these are mandatory where data processing is likely to result in a high risk to individuals e.g., where you are deploying a new technology, you are carrying out profiling which is likely to significantly affect individuals or you are processing special categories of data (such as health data or criminal records) on a large scale.
- Consider whether you need to appoint a Data Protection Officer (DPO): you must formally appoint a DPO, an individual with expert knowledge of data protection law (who can be appointed on a service contract), in certain circumstances e.g., where you are carrying out regular, systematic and largescale monitoring of individuals or you are conducting large scale processing of special categories of data.
Even if you do not need to appoint a DPO, you should have sufficient staff and resources to meet your obligations under GDPR. At Mishcon de Reya, we recognise that the DPO is a specialist role, requiring a complicated balance of skills and knowledge, and we know from discussions with clients that not all of them are able to meet this need in-house. This is the reason we launched our Mishcon VirtualDPO service providing you with the support of a DPO equivalent, on terms tailored to your specific requirements.
You will also need to take further, specific steps if you process children's personal data or special categories of data, if your organisation is subject to the rules on data portability or automated decision making, or if you transfer personal data cross-borders.
Each data protection strategy will be unique to the given business or personal situation. The first step is a conversation with our team who will map out the best solution.
To learn more about GDPR and how to be compliant, please contact any of our data protection experts.