The text of the much anticipated new EU General Data Protection Regulation has finally been voted through just a few hours ago by the European Parliament. All that remains is for its publication in the Official Journal, likely to be mid-May, and the two year implementation period will run from this date. For various reasons the Regulation (or something like it) will probably apply regardless of Brexit.
Day one compliance is required. Businesses should now consider the issues and changes they will need to make and use the implementation period to put them into effect, e.g. in terms of their procedures, systems and technology, in order to be ready. Some of these may involve substantial lead times, not least if transition is to be effected in an economical manner. The imminent arrival of the Regulation makes the ICO's recent list of 12 preparatory steps to take now even more pertinent. We summarise this below, with our own commentary.
Decision makers in your business need to know that important changes are coming, because of the impact on e.g. operational effectiveness, costs and risk.
An essential starting point will be to map your use of personal data, e.g. what you hold, why and where you hold it, how long it is kept for and who you share it with – and how the picture may look in 2018 and beyond. Only by having a reliable and up-to-date picture will you be in a position to start planning your GDPR compliance programme.
Can you show consent?
In many cases you need data subject consent to your use of their data. The requirements surrounding obtaining and being able to demonstrate consent to your use will be much tighter (particularly in direct marketing, use of online behavioural advertising etc – for instance "opt out" boxes will no longer be acceptable). As well as updating your IT systems to facilitate this, you may need to re-consent your marketing database and update privacy notices in time for 2018.
Is your processing justified?
You will also need to show why, legally, you are justified in holding and using each set of personal data. This will need careful analysis to make sure that where you want to use data for business purposes the necessary conditions are satisfied to legally justify its processing under GDPR.
Changes to IT systems?
- The new rules could well mean that you need to re-build your websites to make sure you get appropriate consents to your use of personal data and cookies; and then you may need to update your supporting IT systems to ensure that you can demonstrate consent if challenged;
- Data cleansing and the "right to be forgotten": you will want your systems to be capable of supporting easy rectification (or erasure) of data and (as now) suppression of direct marketing where this is requested;
- Portability: individuals will have a right to data portability in a commonly used machine readable format and to transfer it to other service providers. How will you do this?
Data protection by design, and privacy impact assessments
What is currently a recommendation from regulators will move to become binding law. You will need to show that your internal processes implement "data protection by design and by default" (e.g. the principle of data minimisation: only collect, use and retain data you need). Both existing and new types of processing may need you to carry out a privacy impact assessment where there is a high risk to individuals. This will need careful planning to embed it in your corporate culture.
Not an issue raised by the ICO, but also important: if you are entering into arrangements which may still be in place in 2018 under which you share personal data with others (joint controllers, data processors etc), you will need to consider how to "future proof" the contract terms so that you can make sure that all necessary changes are made in time, to keep you compliant.
The ICO list of things to do now contains a number of further steps which you may feel are less urgent, or which may be of more limited relevance to your business. These include (a) updating existing procedures for dealing with subject access requests; (b) if you deal with children, the rules are getting tighter, e.g. how will you verify ages? (c) there will be a legal duty to report some data breaches within a short timescale; (d) some businesses will need to appoint a data protection officer; and (e) if you operate internationally (and depending on your structure), there may be decisions to be made about which lead supervisory authority you will come under (the so-called "one stop shop") as well as needing to review how transfers of personal data outside the EEA will continue to be permitted. In addition, if your business is that of data processor, you will now have direct obligations to the regulator and to data subjects, in a way which hasn't previously been the case.
Inevitably this is a very short summary. We will be publishing more detailed guidance as well as providing training on what it all means in practice.