GDPR - Get Data Protection Ready

Most businesses will be aware that the European Union has recently approved the General Data Protection Regulation (GDPR) which will come into effect for EU Member States on 25 May 2018.

The GDPR has a wide application, as it applies to anyone offering goods or services to individuals in the EU or monitoring individuals' behaviour in the EU. It is therefore important for businesses outside the EU to consider whether any of their activities are caught by the GDPR.

Additionally, Jersey and Guernsey will be implementing new data protection legislation based on the GDPR.  This new legislation will be designed to ensure that the islands continue to protect personal data in a way which is equivalent to the protection afforded in the EU, once the GDPR comes into force.

Much has been written about the need for businesses to prepare for the introduction of the GDPR.  But what does that mean in practice? 

Each month, starting in November 2017, we will be publishing a short article focusing on some practical steps we think will help you ready yourselves for GDPR in the 6 month countdown to May 2018.  These articles will appear below and on social media.

Preparing for the GDPR

People

So, your compliance officer has had data protection compliance as one of his objectives since the year dot.  He's bound to be all over GDPR.  You definitely have it covered, right? 

Wrong.

With the impending introduction of GDPR, data protection compliance can no longer be the responsibility of just one person in your organisation, or a matter of marginal concern.  Everyone in the business needs to understand GDPR, what it is and the importance of putting data privacy at the heart of your policies, processes and practices.

This means that:

- the directors, or others responsible for the management of your business, need to have GDPR firmly on their agenda.  The widely-publicised penalties for breach of the GDPR and the equivalent legislation being introduced in other non-EU countries (including the Channel Islands) are designed to make data protection an issue for those at the highest level of the organisation

- public authorities, and private sector businesses carrying on high risk processing, must appoint an appropriately qualified and independent data protection officer who will be responsible for overseeing data protection compliance.  The data protection officer will need to keep up to date with developments, report directly to management on a regular basis, and liaise with the regulator to the extent required.  Other organisations who are not mandatorily obliged to appoint a data protection officer should also consider doing so as a matter of good practice

- a framework of accountability should be introduced so that all project and team leaders at every level of the business are given responsibility for ensuring compliance with the processes and procedures being adopted in line with GDPR

- regular training should be given to all personnel so that they understand the key requirements of GDPR, what their obligations are and why this is so important to the business

Importantly, you also need to look outside your organisation, to your suppliers and others who will process the personal data you control, to ensure they will comply with the GDPR from May 2018.  It is your responsibility as the data controller to exercise a high duty of care in selecting these data processors.  Start the discussions now to find out what they are doing to prepare.