GDPR compliance – here are the 14 things you actually need to do

Regular readers of this site will be well aware that a major update to data protection legislation across Europe is about to come into force. The General Data Protection Regulation (GDPR) becomes law across the EU as of 25th May, meaning any business operating in any EU member state – including the UK – now has just over four months to make sure it is fully compliant. The ultimate aim of the regulation is to give individuals more rights over their data and restrict how companies process private information.

The problem is, there has been so much information flying around about GDPR - with many vendors and organisations honing in on the particular angle that benefits their sales team the most - it’s difficult to get a clear view of exactly what businesses need to do to actually meet the new rules. So here’s our guide to the areas you should be focusing on ahead of 25th May – and what the reality is for those who don’t comply.

1. €20m GDPR fines are possible - but unlikely

One of the headline-grabbing changes is that under GDPR, firms can be fined up to €20 million ($28m) or four percent of group worldwide turnover, whichever is greater. There is a lot of fear and scare-mongering around this element – I came across a warning recently that the threat of insolvency or even closure as a result of GDPR penalties will soon be very real for all businesses.

However, the likelihood of a company being fined to this extent is miniscule, even in the face of a serious breach, as the UK’s Information Commissioner herself has pointed out.

While the GDPR financial penalties are terrifying on paper compared to the maximum £500,000 fine under current UK law, ICO chief Elizabeth Denham is keen to assure businesses that issuing fines “has always been and will continue to be, a last resort”. As evidence of this, she highlighted that of the 17,300 cases considered for the 2016/2017 period, only 16 of them resulted in fines.

Furthermore, the ICO hasn’t even issued a fine at the highest current £500,000 level – the worst it has doled out is £400,000, and that was for the Carphone Warehouse breach affecting more than three million people.

2. You don’t save your £35/£500 a year notification fee after all

There was a smidgen of excitement when the GDPR was revealed, that it could save companies a bit of cash. Currently data controllers at UK companies must notify the ICO of their data processing activities and pay a fee of either £35 or £500, which funds most of the ICO’s work. GDPR abolishes the current system requiring data controllers to notify the supervisory authority of their processing of personal data – and hence the UK fee disappears along with it.

However, the UK government has simply transferred the cash requirement across to the new Digital Economy Bill, so you’ll still end up paying a fee – and in fact, the amount could increase. The ICO says:

The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The current draft proposal is a three tier system, which will differentiate between small and big organisations and also how much personal data an organisation is processing.

The new model is due to go live on 1 April 2018, but the exact fees are yet to be announced. Until then, if your annual notification is coming up for renewal, you should go ahead and pay the current £35/£500.

3. Not every organisation needs a Data Protection Officer

The role of Data Protection Officer (DPO) becomes “mandatory” under GDPR. However, not every organisation will need to rush out to appoint one. DPOs are only a pre-requisite at public authorities, and businesses where data processing and monitoring are done on a large scale.

4. IT and marketing people aren’t suitable DPOs

The GDPR states that the DPO must not be conflicted by having a dual role of governing data protection while also defining how data is managed. In practical terms, this means that an IT manager, IT director, CTO or security manager are not the best choices for your DPO. The marketing manager might also have a conflict of interest, while sensible options could be your head of finance, risk or legal. Your DPO doesn’t need to be someone within the organisation, and so it could be easier to appoint a lawyer or external expert.

5. Charities fall under the same rules

The ability to collect personal data and contact individuals is the lifeblood of the charity sector and its ability to fundraise. However, under GDPR, charities will have to abide by the same rules as every other organisation, explaining clearly why they are collecting personal data, how it will be used, and if it will be made available to third parties.

6. Consent is not always necessary

While consent is required in many cases to process personal information, it can be bypassed if there is a “lawful basis” for the processing activity. This information should be noted and included in your privacy notice. Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information – for each of these, there is a different lawful basis for processing personal information that is not consent.

Consent is not required for all forms of direct marketing, either – letters can be sent and phone calls made to numbers not registered with the telephone preference service, provided they fall under a “legitimate interest” condition. However, people will still need to be given the opportunity to opt out of this type of contact. And a legitimate interest – for example, a charity aiming to further its cause - must not override the rights of the individual.

7. Pre-ticked opt-in boxes don’t cut it

GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent, so these will need to be exorcised from your business. You also have to make it easy for people to withdraw consent, and use clear and plain language when explaining consent. If you think your organisation might fall foul of any of these elements, any data you currently have on file must be refreshed – meaning contacting your current database to ask them to opt in again – if you want to keep in touch with them after 25th May.

8. Kids are a special case

Firms need parental consent to process children’s data. A child is classed as anyone under 16, but member states can lower this to 13.

9. Smaller firms have less to do

Smaller firms – those defined as having 250 employees or less – do not have to comply with all GDPR rules as standard. If your organisation falls into this band, there’s no need to have documentation of why personal data is being collected and processed, the information you’re storing or how long for. Smaller firms are not required to maintain a record of processing activities unless this carries a risk to the rights and freedoms of data subjects, it is a regular occurrence, or it relates to certain data like criminal convictions and offences.

10. You have 72 hours to report a breach – where feasible

Personal data breaches need to be reported to the relevant data protection agency – the Information Commissioner’s Office for UK organisations - within 72 hours. Individuals will also need to be notified if there is a high risk their data has been breached. However, if the breach “is unlikely to result in a risk to the rights and freedoms” of people, the reporting element is not required. And firms also have a slight get-out clause here with the insertion of the “where feasible” phrase attached to the 72-hour limit.

11. Privacy must be by design in IT systems

Organisations should review their IT systems and procedures to check they comply with GDPR requirements for privacy by design, ensuring only the minimum amount of personal data necessary is processed. Privacy Impact Assessments (PIAs) should be completed when using new technologies and the data processing is likely to result in a high risk to individuals.

12. The customer is king

Individuals are given extended powers over the data you retain about them under the new rules. They have an automatic right to be forgotten, so your company must have processes in place to permanently delete all of an individual’s records from their systems. Individuals can also request a copy of their data, so you need to develop a way to gather and export this data to present to users in a clear, simple format. There will not necessarily be a flurry of requests, but you need to be prepared.

13. You can’t share data outside the EU

The GDPR restricts the transfer of personal data to countries outside the European Economic Area (EEA) that are deemed by the EU to not provide an adequate level of protection, such as the US. Make sure any international data-sharing is covered under agreed rules, such as the EU – US Privacy Shield.

14. Brexit doesn’t matter (to GDPR)

Just tagging this one on the end, in case there is still any uncertainty around this.  Even though after Brexit, the UK government would technically be able to implement its own data protection laws, the government has clearly stated that it will maintain GDPR as a national law. So don’t hold off working through the new rules in the hope that Brexit will give you a perfect excuse for non-compliance. It won’t, and you might just end up being the first GDPR breach test case.

Disclaimer: This article is based on the best research we have but is intended for general information only. If you want legal certainty, don't rely on us, please consult a lawyer.