September 5th 2017

The European General Data Protection Regulations (GDPR) will come into force next May with increased requirements for data security and individuals’ rights regarding it, along with increased penalties for getting it wrong. Kevin Ferguson takes a closer look at the implications along with 12 steps that you need to take now.
Getting ready for GDPR

Despite Brexit, the UK Government has indicated that it will implement the EU’s General Data Protection Regulation (GDPR). This will apply from May 2018, but even if the Government had decided not to do so, companies dealing with data relating to EU citizens would still be required to comply. This is because the GDPR will affect organisations operating within the EU but also to those outside the EU that offer goods and services to individuals within the EU.

The GDPR will apply to companies which fall into two broad categories, the definitions of which are very similar to those defined in the Data Protection Act. ‘Controllers’ say how and why personal data is processed and ‘Processors’ act on behalf of controllers.

If you are a Processor, the GDPR will place specific legal obligations and liabilities on you, for example, you will be required to maintain records of personal data and processing activities.

If you are a Controller, you are not relieved of your obligations where a Processor is involved, the GDPR will place further obligations on you to ensure that your contracts with Processors complies with the GDPR.

Whilst the principles are similar to those in the Data Protection Act, there are certain additional requirements that UK companies do need to be aware of. The most significant requirement is accountability, the GDPR requires you to demonstrate compliance by ensuring that you have adequate systems, contractual provisions, documented decisions about processing and training in place.

Personal data
The GDPR will apply to ‘personal data’ that is held about employees, however it is even broader than that. Any data that could be used to identify an individual is considered to be personal data, this can include things such as genetic, mental, cultural, economic or social information and IP addresses.

Sensitive data known as ‘special categories of personal data’ is fairly similar to the Data Protection Act but there are some minor changes that will need to be addressed including genetic data and biometric data which has been processed to uniquely identify an individual.

The issue of consent, where it validates the use of personal data, is also a significant development. An individual’s silence or inactivity will no longer be considered as consent, organisations need to ensure that they are explicit when seeking consent and outline how they will use the information.

Preparing for GDPR – 12 steps to take now
Employers need to start acting now to ensure that they are compliant, here’s our list of actions to consider:

1. Awareness
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

3. Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

4. Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

6. Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

7. Consent
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

8. Children
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

9. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

10. Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

11. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

12. International
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority.

So why is this so important?
You need to consider this now because the penalties that can be imposed will increase substantially. Depending on the level of the breach, fines can be significant, up to 4% of the total annual turnover, not profit, based on the preceding financial year. Not to mention the detrimental effects of bad PR for those organisations that have been victims of data breaches.

Our Recommendations
Whilst it does seem a long way off, as you will see, there is definitely a lot to be done between now and May 2018. Data Controllers and Processors in your business need to clarify exactly what data they hold and how personal data is used. You also need to make sure that systems which protect privacy both internally and externally are in place and that contractual provisions are also in place with your clients and service providers to ensure that compliance and suitable indemnities do exist.

As ever, if you would like to talk with one of the team about the forthcoming changes to data protection laws and the implications on your own business, then don’t hesitate to get in touch with us.

JRW Chartered accountants in Edinburgh, Galashiels, Hawick, Langholm and Peebles.