GDPR Legal Compliance

GDPR Legal Compliance

The EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018. It is a shake up of the existing data protection regime, which was developed by law makers in the mid-1990’s, a time when digital infrastructures and business technologies were considerably less advanced. Under the GDPR individuals and consumers will have enhanced rights regarding their personal data and organisations face much greater penalties for non-compliance. Below, South Bank Legal looks at some of the main legal compliance steps organisations should be taking in advance of the GDPR’s implementation date.

Accountability – demonstrating GDPR compliance

The GDPR sets out a new specific data protection principle not found in the current Data Protection Act 1998, the principle of accountability. Concisely stated, the accountability principle is that organisations should process personal data in a way that demonstrates their compliance with the data protection principles. In practice therefore, to satisfy the accountability principle organisations will need to be able to point to what their formal GDPR compliance measures are. Such measures would generally include:

  • staff training;
  • data protection officer appointment;
  • carrying out audits;
  • breach reporting procedures; and
  • creation and maintenance of registers and records necessitated by the GDPR.

Organisations setting out how they undertake GDPR compliance in a properly prepared formal policy document will invariably be better placed than those taking an approach which is ad hoc and undocumented.

Data Protection Officers

The GDPR will make it mandatory for some organisations to appoint a data protection officer (DPO), who must have appropriate expert knowledge of data protection law and practices. The DPO’s function will be to oversee an organisation’s data protection measures to facilitate GDPR compliance. Any organisation can appoint a DPO but a DPO will only be mandatory for:

  • public authorities;
  • organisations whose core activities require regular and systematic monitoring on a large scale; and
  • organisations whose core activities involve processing special categories of data and personal data relating to criminal convictions, on a large scale.

For some organisations it will be obvious that they are required to appoint a DPO. For others it may be more of a grey area on which legal advice will be required. In any case, the DPO function can be outsourced under a service contract. This will often be a more cost-effective option than employing a full time DPO and will no doubt lead to a surge in the number of professional firms providing data protection compliance services to organisations.

Privacy policies

Most organisations will have an existing privacy policy available to its clients online. Invariably, existing privacy policies will require reviewing and updating so that they conform with the information provision requirements found in articles 13 and 14 of the GDPR. Organisations (data controllers) will need to provide data subjects with information such as:

  • their identity, including its full legal name and contact details and details of any DPO;
  • the nature of the personal data being collected (and note that the GDPR changes the definition of “personal data”);
  • the ways in which personal data is collected; and
  • what the various rights of individuals are as regards their personal data and how those rights may be exercised.

The above list is by no means exhaustive. Like an organisation’s data protection compliance policy, its privacy policy ought to form a cornerstone of its GDPR  compliance strategy and should be reviewed and updated in the lead up to the GDPR’s implementation.

Consent

Consent from data subjects to the processing of their personal data will be harder to obtain under the GDPR. Organisations will need to adapt their systems, procedures and documents to the new rules. Organisations will need to obtain an unambiguous indication that the data subject has consented to their personal data being processed. They will not be able to rely on pre-ticked boxes and consent must be freely given. Consent cannot be freely given where, for example, the data subject cannot refuse consent without suffering detriment. Consent will also need to be informed consent. So an organisation will not be able to obtain a blanket consent for a range of various data processing activities. Rather, a valid consent will need to identify the specific purpose of the consent.

Organisations will therefore have to update their methods for obtaining consent (of which the privacy policy will be one) very carefully. Helpfully, the Information Commissioner’s Office has published draft guidance on the topic.

Concluding comments

 The GDPR represents a major overhaul to data protection law. The specific changes discussed above are selected aspects of the new regime only and are far from an exhaustive list. Organisations will also have to review their approach to data protection in areas such as data breach identification and reporting, pseudonymisation, the right to be forgotten and subject access requests. Taking the right GDPR legal compliance advice in a timely manner should however help to equip organisations for the changes ahead.

 South Bank Legal is a commercial law firm in London and our solicitors act for companies and other business organisations who will be subject to the GDPR when it comes into force in May 2018. If you would like a confidential discussion about what your organisation could be doing to ensure it is GDPR compliant, then please feel free to get in touch.