All companies are expected to be compliant with the EU General Data Protection Regulation from May 25th, 2018. This defines personal data and sensitive personal data and how it is to be handled. It establishes fines for non-compliance and sets new regulations for breach notification. It is essentially all about respecting an individuals’ rights regarding their own personal information.
Sustained Growth Consulting partners with Data Protection Providers Ltd. to provide a service to ensure compliance. It will be important for all organisations to demonstrate compliance as fines are now applicable, and, in the event of any data breaches, it is very important to be able to demonstrate that you were taking appropriate steps to protect personal data.
Legal Basis for GDPR
- Consent for personal data to be shared and processed
- Access to personal data
- Right to be forgotten or ‘erasure’ – applies to your company and any 3rd party with whom that data has been shared
- Right to portability – having the data sent to another company on your behalf
- Right to rectification – correct any information or bring it up-to-date
Data Protection Officer (DPO)
The requirement to appoint a Data Protection Officer (DPO) may not apply to you if you have less than 250 employees; unless you are doing a lot of data processing.
However, SMEs still need to be compliant with the GDPR regulation so it is best practice to either appoint a member of your staff as DPO or use an external service.
DPO duties include running a data awareness programme, staff training, ongoing information audits and carrying out a Data Protection Impact Assessment (DPIA).
Note: while it seems highly unlikely that fines as high as those cited in the regulation would be applied to SMEs; onerous fines could be issued to any organisation found in breach.
The fines cited are as follows:
2% of global revenue or €10M, whichever is higher, for:
- Data breaches.
- Not employing a Data Protection Officer (DPO).
- Not conducting a Data Protection Impact Assessment (DPIA).
- Not keeping appropriate records.
4% of global revenue or €20M, whichever is higher, for:
- Failing to gain consent.
- Not upholding consumer rights under GDPR rules.
- Moving data outside the EU without adequate protection.
GDPR Implementation Plan
- Map Current Process
Review and document all data processing activities and security processes in relation to:
- Personal Data – identifying information such as name, address and email address.
- Sensitive Personal Data – special categories requiring strong protection including religious beliefs, race and genetic data.
Establish the what, where, when, why and legal grounds for data processing.
- Assess Risks
Where required, carry out a Data Protection Impact Assessment (DPIA); the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals.
- Changes Required
Identify any required changes to current data processing and plan builds for any changes required to achieve compliance e.g. evidence of consent may now need to be received and stored.
- External Providers
Identify joint controllers, processors and sub-processors, and create instructions on how data should be handled e.g. health insurers or outsourced payroll.
- Policy Documents
Create a publicly available data protection policy, which covers the key areas of:
- Consent for personal data to be processed and shared
- Access to personal data
- Right to be forgotten
- Right to portability
- Right to rectification
- Breach management
- Breach register
Changes to employment contracts and/or the staff handbook may need to be updated to reflect GDPR regulations, including use of CCTV, use of email and internet, interactions with social media sites and website cookie & privacy statement.
- Client Information
Create and have a client information leaflet (where needed).
Ensure all staff are adequately trained and understand their obligations under GDPR for client data. Maintain evidence of such training.
- Ongoing Audits
Regular reviews will be required to ensure procedures are being followed, and any new procedures consider GDPR implications.