GDPR - Get Data Protection Ready

Most businesses will be aware that the European Union has recently approved the General Data Protection Regulation (GDPR) which will come into effect for EU Member States on 25 May 2018.

The GDPR has a wide application, as it applies to anyone offering goods or services to individuals in the EU or monitoring individuals' behaviour in the EU. It is therefore important for businesses outside the EU to consider whether any of their activities are caught by the GDPR.

Additionally, Jersey and Guernsey will be implementing new data protection legislation based on the GDPR.  This new legislation will be designed to ensure that the islands continue to protect personal data in a way which is equivalent to the protection afforded in the EU, once the GDPR comes into force.

Much has been written about the need for businesses to prepare for the introduction of the GDPR.  But what does that mean in practice? 

Each month, starting in November 2017, we will be publishing a short article focusing on some practical steps we think will help you ready yourselves for GDPR in the 6 month countdown to May 2018.  These articles will appear below and on social media.

Preparing for the GDPR

People

So, your compliance officer has had data protection compliance as one of his objectives since the year dot.  He's bound to be all over GDPR.  You definitely have it covered, right? 

Wrong.

With the impending introduction of GDPR, data protection compliance can no longer be the responsibility of just one person in your organisation, or a matter of marginal concern.  Everyone in the business needs to understand GDPR, what it is and the importance of putting data privacy at the heart of your policies, processes and practices.

This means that:

- the directors, or others responsible for the management of your business, need to have GDPR firmly on their agenda.  The widely-publicised penalties for breach of the GDPR and the equivalent legislation being introduced in other non-EU countries (including the Channel Islands) are designed to make data protection an issue for those at the highest level of the organisation

- public authorities, and private sector businesses carrying on high risk processing, must appoint an appropriately qualified and independent data protection officer who will be responsible for overseeing data protection compliance.  The data protection officer will need to keep up to date with developments, report directly to management on a regular basis, and liaise with the regulator to the extent required.  Other organisations who are not mandatorily obliged to appoint a data protection officer should also consider doing so as a matter of good practice

- a framework of accountability should be introduced so that all project and team leaders at every level of the business are given responsibility for ensuring compliance with the processes and procedures being adopted in line with GDPR

- regular training should be given to all personnel so that they understand the key requirements of GDPR, what their obligations are and why this is so important to the business

Importantly, you also need to look outside your organisation, to your suppliers and others who will process the personal data you control, to ensure they will comply with the GDPR from May 2018.  It is your responsibility as the data controller to exercise a high duty of care in selecting these data processors.  Start the discussions now to find out what they are doing to prepare.

Preparatory Audit

Being able to comply with the GDPR by May 2018 requires preparation.  If you have not yet started preparing, it is imperative that you do so now.

First, you need to understand the life cycle of all categories of data within your business.  This means collaborating with the business leads across your organisation (such as the head of your HR, IT and Business Development teams), to identify:

- the entry point: what personal data you collect, where and who it comes from, how it comes into your organisation and why you are receiving it

- the process: where the data goes and what happens to it while it is in your organisation – where and how is it stored, who has access to it and why (is anything superfluous)?

- the inputs: what additional data is added from internal and external sources to the data you receive, who does it and why?  Is any of this additional data inferred through profiling or similar means?

- the outputs: what will be produced with the data in terms of reports and other outputs?

- the exit point: when and how is the data deleted or exported from the organisation?  If it is exported to a third party – who are they, what is the basis for the data being exported, and how and why will the third party process it?

Once you have mapped this information:

- you will be able to start to identify what has to change to enable you to comply with the GDPR

- you should document and keep the results to demonstrate what you have done to collate the information needed to underpin the development of your new data governance strategy.