JPP Law Blog
General Data Protection Regulation (GDPR): Guide for businesses (Part 2)
Part 1 can be found at: GDPR - A guide for Business (Part 1)
As the rush to get your house in order before the General Data Protection Regulation comes into force on 25 May 2018 continues to gather pace, this is our practical guide for businesses, outlining the steps you should be taking now to ensure you are fully prepared.
'The first and most important thing for businesses to do is to ensure that they and their management team understand what the GDPR is and the rights and obligations it introduces or enhances. They then need to look at their current practices to identify anything that they are or are not doing which could cause them problems. Any areas identified as requiring attention should be considered carefully and an agreed plan put into place to address them well in advance of the GDPR coming into force', says Mark Glenister.
Processes and procedures
Review your processes and procedures for the management of data processing and usage and for the sharing of data with other organisations. It is particularly important to develop an effective procedure for rectifying inaccurate data, or erasing redundant data where this is appropriate, both internally and externally, as rectification and erasure may also need to be undertaken by third-parties you have shared affected data with. Think about what personal information you collect and where it comes from, how you use that information and anyone you share it with.
Privacy notices
Review your privacy notices as there are additional requirements under the GDPR. You need to make it clear why you process data and for how long you hold it. You also need to make sure you are notifying individuals whose personal data you are processing about their right to complain to the Information Commissioner's Office about your activities and that this information is being provided in plain English.
Subject access requests
Familiarise yourself with the new subject access request procedure, and ensure that you do not ask individuals to pay to access their information (unless the request is excessive or unreasonable, or is for repeat information), and that you are able to provide the data requested within one month rather than the 40-day period currently allowed. Where you believe you are justified in refusing a request, remember that you will need to give reasons explaining why this is.
Lawfulness of processing
Identify on which basis you can lawfully hold personal information and remember that if you are relying on an individual's consent, you will need to review the personal information you already hold to ensure that the consent in respect of that information was obtained expressly rather than via implication. Also bear in mind when relying on consent to justify your processing of personal information that it is easier for an individual to insist on the right to have their data erased by simply withdrawing their consent.
Data breach policy
Review your policy on data breaches to ensure that you meet the increased accountability requirements. In particular you will need to be able to demonstrate how you detect personal data breaches, how you investigate them and how you report them to the Information Commissioner's Office and, if appropriate, affected individuals.
Data protection impact assessment
It has always been good practice to assess risks regarding the data that you hold, but this is now mandatory in some circumstances under the GDPR - for example, if you are using new technology, are undertaking large scale processing of special categories of data or you are conducting a profiling operation which is likely to significantly affect individuals. In some circumstances, you will need to consult with the Information Commissioner's Office to seek advice and guidance.
Conclusion
For businesses already subject to the Data Protection Act, it is almost certain that you will also be caught by the GDPR and while many of the processes and procedures you already have in place will continue to stand you in good stead when dealing with personal information, there are significant new and enhanced obligations and rights that need to be considered and which will almost certainly necessitate you making some adjustments to the way you and your staff do things. Being forewarned is being forearmed, so do not delay; take advice now to find out what you need to do and ensure that any required actions are implemented well in advance of the 25 May 2018 deadline.
For further advice on any of the issues raised in this article, or for commercial law advice more generally, please contact JPP Law on 020 3468 3064 or email info@jpplaw.co.uk
JPP Law Blog
- Case Studies and Reviews (9)
- Commercial Law (108)
- Dispute Resolution (27)
- Employment Law (119)
- Intellectual Property (3)
- Start-ups (25)
- Videos (8)
- 2022 May (1)
- 2022 April (3)
- 2022 March (2)
- 2022 February (2)
- 2022 January (2)
- 2021 December (1)
- 2021 November (1)
- 2021 October (1)
- 2021 September (1)
- 2021 August (1)
- 2021 July (1)
- 2021 May (1)
- 2021 April (1)
- 2021 March (1)
- 2021 February (1)
- 2021 January (1)
- 2020 December (1)
- 2020 November (2)
- 2020 October (2)
- 2020 September (2)
- 2020 August (1)
- 2020 July (3)
- 2020 June (1)
- 2020 May (3)
- 2020 April (1)
- 2020 March (2)
- 2020 February (2)
- 2020 January (2)
- 2019 December (2)
- 2019 October (1)
- 2019 September (5)
- 2019 July (3)
- 2019 June (2)
- 2019 May (2)
- 2019 April (3)
- 2019 March (2)
- 2019 February (2)
- 2019 January (2)
- 2018 December (2)
- 2018 October (4)
- 2018 September (12)
- 2018 February (6)
- 2018 January (7)
- 2017 December (2)
- 2018 July (14)
- 2018 June (2)
- 2018 May (13)
- 2018 April (8)
- 2018 March (11)
- 2017 November (6)
- 2017 October (12)
- 2017 September (14)
- 2017 July (7)
- 2017 June (10)
- 2017 May (6)
- 2017 April (4)
- 2017 March (11)
- 2017 February (6)
- 2017 January (1)
- 2016 December (2)
- 2016 September (4)
- 2016 July (1)