9 quick tips to help your business prepare for GDPR
25 July 2017
10 months from today the General Data Protection Regulation (GDPR) will officially come into force. The new regulation from the EU, which has been four years in the making, aims to standardise and strengthen data protection across the EU, giving citizens greater control over how companies use their personal data and levying strict financial penalties on those who fail to comply.
Although Britain has triggered Article 50, marking the official start of Brexit, businesses in the UK will still need to comply with the GDPR as the regulations apply to any organisation who processes the personal data of EU citizens – the organisation does not have to be in the EU itself.
Organisations were originally given a two-year transition period to prepare for the start of the GDPR, however, as the deadline grows ever closer many are still under-prepared. As the GDPR builds on the regulations outlined by the 1998 Data Protection Act there is no doubt that organisations will already comply with certain aspects, but there are a number of new restrictions to be aware of. Below we have outlined some quick tips for compliance, and we recommend that organisations start their preparations sooner rather than later.
Quick tips for compliance
1. Appoint a Data Protection Officer (DPO) – Somebody within the firm will need to hold the role of Data Protection Office.r This doesn’t have to be a full-time person necessarily and it can actually be outsourced if required.
2. Know how you can use data – You, of course, will store personal client data on file and throughout different IT systems. It’s now imperative that you understand what personal data you have and how you process it. You may have had initial consent from the client but this does not necessarily mean that you have consent for processing that data in a different manner. You may need to obtain renewed consent, and you will certainly need to review your forms and documents of consent to ensure they are robust enough to cover you.
3. Make people aware – All key decision makers and management within the firm should understand that the law is changing. They should really understand how GDPR is being implemented and what effects it is going to have.
4. Data on children – There is a real focus on data held about children within GDPR. You should be looking into how you verify the ages of individuals and how you will get parent/guardian consent for the processing of children’s’ data.
5. Ensure your data processors are up to speed – Take time to assess every service provider and individual who processes personal data. It’s important they fully understand the changes that are coming down the line and take responsibility for them. It’s likely that some training would be beneficial. It’s also important to continually monitor, report and audit. You can undertake regular PIA (Privacy Impact Assessments) to review processes and systems and to deal with any required remedial action.
6. Understand your clients’ rights – The client has increased rights beyond the 1998 Data Protection Act around the data you hold on them, such as in areas as the rights to erasure, the right to be informed, the right to restrict processing, etc. The right to data portability is new so should read into before changing policies and procedures. You should also assess areas such as how you delete data and how you present it on demand, i.e. what document format. At the end of the day, what are the legal grounds for holding client data?
7. Review consent and fair processing policies – The GDPR goes beyond current requirements around information that must be provided to data subjects when requesting consent to process personal data. The processes and protection already in place will not be applicable with GDPR. Firms should ensure they are using simple language when asking for consent to collect personal data. They also need to be completely clear about how the data will be used, no assumptions can be made, and silence from a client is not consent. Any issues around the areas of consent will certainly lead to issues and potentially large fines.
8. Prepare for a data breach – Still to this day so many firms have no truly usable documented policies and procedures in place for how they will respond to a security breach. A firm must know exactly how they will deal with a breach, as making decisions when it’s all falling apart around you can make a band situation even worse.
9. Use technology for automation – Law firms will typically have systems in place to assist in performing compliance and risk checks. The vendors of the systems you already use should be spoken to about how they are going to assist you in the automatic management (as much as possible) of your compliance regulations around GDPR. The more you can automate the less risk of something dropping through the net. It’s all about the workflow.