GDPR – Need help?
In May 2018 the General Data Protection Regulation (GDPR) will be fully in force, increasing the regulations surrounding the collection and processing of personal data. The GDPR will also greatly increase the potential penalties for non-compliance. James Sarjantson details the key actions you should be taking NOW to move towards GDPR compliance:
Undertake an “information audit” to document:
- The personal information that you hold (which could be the personal data of employees, clients, suppliers, etc);
- How that personal data was collected;
- With whom it is shared (which could include, for example, outsourced suppliers).
Remember, what matters here is personal data, i.e. any information relating to an identified (or identifiable) living person.
Lawful Basis of Processing
You need to consider, and identify in your data protection documentation, the lawful basis upon which you process all personal data. You must document the decision making and the policies and procedures you adopt to ensure compliance. The lawful bases for processing personal data are:
- Necessary for performance of a contract;
- Legal Obligations (i.e. processing under a legal obligation to do so);
- Vital Interests (i.e. necessary to protect the data subject’s vital interests);
- Public Interest (i.e. under official authority);
- Legitimate Interests (this is likely to be a key basis for many businesses – this includes ordinary honest business practices and can include direct marketing, but must be balanced against the interests of the data subject concerned* ).
New GDPR standards will make it harder to rely on the data subject’s “consent” to processing – for example in respect of your marketing activity. You should review how any consents were previously obtained and, if necessary, consider refreshing them or relying on another lawful basis of processing.
Update Privacy Policies
You will need to update and enhance your written privacy policies and notices. You need to tell people how their data will be used. For example, you now need to identify in those notices the basis on which you process personal data, and any data retention periods.
New Rights and Subject Access Requests
Individuals have new and enhanced rights in respect of their data. You should ensure that you have systems in place that allow you to swiftly locate all personal data you hold, so that you can respond to detailed subject access requests within the new (shorter) timescales, and if necessary to delete that data. Document how you comply with the principles below.
The New Data Protection Principles that you must comply with when processing ANY personal data are:
- Lawfulness & Transparency (includes the requirement for privacy notices when collecting data);
- Purpose Limitation (collect data for specific, identified purposes, and do not further process the data in any manner incompatible with these purposes);
- Data minimisation (only keep what is relevant and necessary);
- Accuracy (keep it up to date);
- Storage Limitation (only keep it for as long as is necessary);
- Integrity and confidentiality (appropriate technical/IT security measures).
Data Rights & Data Breaches
In the event of a data breach you may need to notify the data subject(s) concerned, and your supervisory data protection authority, within very short timescales. Policies and procedures will need to be in place to ensure you can do this.
LCF Law can provide a consulting service to advise and assist your internal teams to achieve GDPR compliance, as well preparing bespoke documentation to evidence your compliance.
(*and is subject always to the Privacy and Electronic Communications Regulations)
James Sarjantson has dealt with Data Protection matters on behalf of clients for many years and is able to provide practical and commercial solutions to issues raised by the General Data Protection Regulations [GDPR], and to advise on the steps that businesses can take themselves to move towards compliance.
Further advice please contact James Sarjantson on 0113 201 0401 or