As the implementation date for the General Data Protection Regulation (GDPR) fast approaches, businesses may be wondering whether they have done enough to prepare for the May deadline.
The Information Commissioner’s Office (ICO) has stated that although 25 May is the date the legislation takes effect, GDPR preparation doesn’t end on this date; instead, it should be an ‘ongoing journey’.
Businesses should continue to develop their compliance programmes over the coming months and understand the risks of getting things wrong.
1. Lawful processing
In order for any data processing activities to be lawful under the GDPR they must meet one of the legal bases outlined in Article 6. Firms must be able to identify the legal basis they are relying on to process different types of personal data and it is advisable for this to be documented in a central record of processing activities.
A procedure should also be established for adding any new types of data processing activities – for example, if a new service offering is developed.
Knowing which legal basis is being relied upon is key for two reasons.Firstly, under transparency requirements, businesses must inform individuals of which one applies. As such, privacy notices need to be updated to include an explanation about this.
Secondly, legal rights depend on the legal basis being relied upon. For example, data portability only applies if the legal basis for processing is consent or contractual necessity. This makes it vital for businesses to know which legal basis is being relied upon before putting procedures for complying with GDPR requests in place.
Since the GDPR raises the bar to a higher standard of consent, firms should carefully review all processing where consent has been identified and consider the use of an alternative basis (for example, legitimate interests) wherever possible.
If firms get their consent mechanisms wrong, they could face substantial fines and the ICO has warned that there will be no ‘grace’ period after 25 May.
2. Individuals’ rights
The GDPR significantly enhances the rights of individuals, with an extended right of access, a right to rectification and new rights to data portability and erasure of data.
Where an individual exercises any of these rights, the business must be able to respond without undue delay and, in any event, within one month.
It is important therefore to provide ongoing staff training on the procedures to follow when dealing with individuals’ GDPR requests.
Businesses should also carry out a risk assessment to ensure that each of their systems have adequate functionality to search, access, restrict processing, delete or rectify personal data held in that system.
Each system will also need to be able to transfer the personal data to another controller in a “commonly used electronic format”, as required by the data portability requirements of the GDPR.
This should be reviewed periodically to ascertain if the privacy risks change, for example, if the use of personal data changes or if new technology becomes available.
3. Data protection by design and default
Article 25 of the GDPR requires organisations to implement appropriate technical and organisational measures designed to implement data protection principles (such as data minimisation) from the outset of any project.
In order to demonstrate that data protection by design and by default principles have been adhered to, businesses should document the data protection considerations that have been taken into account when implementing any new project (such as the cost of implementation and the nature of processing) and the measures that have been taken to ensure that data is minimised and protected.
Where data processing will constitute a high risk to individuals, firms will need to carry out a Data Protection Impact Assessment (DPIA) to identify relevant risks and appropriate solutions.
The regulator may request a copy of impact assessments at any time.
It is therefore advisable to implement a DPIA policy setting out when DPIAs will be required (for example, if automated processing will be carried out), the procedure to be followed and identifying the person(s) responsible for completing DPIAs.
4. Breach notification
Controllers must notify the regulator within 72 hours of becoming aware of a personal data breach, unless the breach is low risk.
Where a breach poses a high risk to individuals, it will be necessary to notify the individuals affected “without undue delay”.
Training must be undertaken and a data breach management policy put in place to explain to employees the procedure to follow in the event of an actual or suspected data breach. This policy should include a ‘chain of command’ for reporting the breach and determining steps to be taken to mitigate against further breaches.
All breaches must be logged for the regulator to view at any time, even if they are not required to be notified.
5. Litigation risks
It has been well publicised that the ICO will be able to impose fines up to the higher of 4 per cent of annual global turnover or £17m.
Perhaps of greater significance though is the potential for the combination of both fines and wide-scale litigation and claims for damages. While individuals have the option to complain to the ICO about a possible breach, this will not provide any financial compensation that they may feel they deserve.
Continued media coverage of the GDPR has raised awareness of individuals’ rights, including the right to rectify, the right to erasure and data portability.
There appears to be consumer confusion over the application of these rights, which could result in legal claims.
Equally, where a breach has occurred, individuals will be entitled to compensation for mere distress, irrespective of whether any financial loss has been suffered. The extent of this right to compensation is now enshrined within the GDPR.
Although compensation is unlikely to be significant in respect of individual claims, organisations will need to remember that one act can potentially affect large classes of individuals, leading to the possibility of group claims, as with last year’s Morrisons data breach ruling.
In these cases, even modest damages awards per head could lead to substantial payouts.