With many channel businesses still caught in the GDPR headlights, tech, telecoms and Internet lawyer at decoded:Legal Neil Brown provides a risk-based approach to preparing for the new data protection rules which come into force in May.
The new data protection framework, the General Data Protection Regulation (GDPR), comes into effect in less than three months. While the clock is ticking down fast and time is running out, it may still not be too late to get your organisation into shape, or at least on the path towards compliance. The GDPR, which applies from 25th May, makes a number of changes to the current data protection rules. It generally requires you to think longer and harder about your processing of personal data, be more transparent with the people to whom that data relates, and have better records.
The requirements around security have been strengthened and individuals get more rights, including the right to a copy of some data in electronic form to help them move between service providers. And, unlike the current rules which permit you to charge up to £10 to give people a copy of their data and grant you 40 days to do so, after 25th May you cannot charge and you have to respond within a month, other than in exceptional circumstances.
If you are compliant with the current rules, you can heave a slight sigh of relief: You are in good shape for the GDPR. You'll still have work to do, but you are not in a terrible position. If you process personal data but are not compliant with today's rules you are in for a tougher time.
For an overview of the GDPR, take a look at the guidance issued by the regulator, the Information Commissioner's Office, entitled ‘Preparing for the General Data Protection Regulation: 12 steps to take now', which breaks down what you need to do into simple steps. However, with just three months to go you might still find yourself short of time. That's where prioritisation comes in.
In terms of prioritising your path to GDPR compliance, one approach is to work out what you need to do to minimise the risk of complaints on 25th May and cover them off. Have a plan for dealing with all of your other obligations in the weeks and months after that. You would do this by focusing on the bits that increase the risk of regulatory attention. So put yourself in your customers' or other data subjects' shoes, think about what they are likely to ask and what they are likely to expect of you. When you have your list, put it in order with areas that represent the highest risk at the top. Once you've got them in order, start at the top and work down.
There are two things to note with this approach. Firstly, it is risk-based and will not make you compliant by 25th May. You'd need to be happy with that risk. Secondly, ‘low risk' does not mean ‘low risk from a privacy perspective'. The actions you tag as low risk are still important and still need doing, but they are just not the first ones on which you'll focus your attention.
What is high risk to you and your customers and data subjects will depend entirely on your circumstances. There's no single list which you could follow and be sure you were tackling things in a sensible order. With that in mind, here is a ‘starter for 10' to help your thinking (the references to Article numbers are articles in the GDPR, for more detail).
• Check that your security is up to scratch. Not only do data breaches and leaks cause considerable customer concern and upset, many fines under the current regime relate to security lapses (Art. 32).
• Check you can comply with subject rights (Arts. 12-22).
• Check your consents: If you rely on consent for processing (for example, some marketing activities) check your consent meets the new requirements and that you have records (Art. 7).
• Update the privacy notice on your website and other media (Art. 13).
• If you need to appoint a data protection officer, do so (Art. 37).
• Create your ‘record of processing', which is basically a list of what you do, why and who it affects (Art. 30).
• Prepare a personal data breach notification plan, just in case something does go wrong. And, if you are subject to the ePrivacy framework, tie this in with your reporting obligations there too (Arts. 33-34).
• Revisit high risk processing agreements with suppliers. The new rules require more legal stuff in processing agreements than under the current rules (Art. 28).
• Put in place a process for new data processing agreements and for carrying out supplier due diligence (Art. 28).
• Create a framework for doing and documenting impact assessments for higher risk processing (Art. 35).
• Document your general privacy accountability, internal process and controls, and document processing bases (Art. 5). While this is rated as ‘lower risk', not having these is unlikely to cause a customer complaint, but be aware that the ICO is likely to ask for these early in any engagement with you. Not having them would not be a good start.
However you classify your risks, keep a record of what you have done and why. Similarly, create a plan for compliance, including the lower risk gaps. In the event of a problem, even if you cannot show you are compliant, you can at least show that you are aware of what is required and that you are working towards it. This might not be a full resolution, but you are in a much better position than having nothing to show.
For more information contact Neil Brown at firstname.lastname@example.org