The General Data Protection Regulation (GDPR) aims to modernise data protection, but many businesses may be concerned over the amount of work that appears to be required in order to be GDPR-ready
Being prepared for the GDPR, and the new laws in Jersey and Guernsey (which are due to come into force in May 2018), is vital. However, there is also time to ensure the work is completed in a measured and informed way.
Our dedicated team is available to steer you through the process. We will be doing so in three ways:
- Updates: sending out regular factsheets to track the progress of the GDPR and the new laws and to highlight some of the key areas businesses should be looking at. If you would like us to extend these updates to any of your colleagues, please ask them to send an email request to Laura Preston;
- Training: We are aiming to host a seminar on the GDPR in the Autumn, by which time the new laws should be out for consultation so we will be able to speak about the new provisions in more detail. Watch this space for our seminar date. We can also provide bespoke training to your business so that the new measures can be discussed with your business needs in mind;
- Advice: Ultimately, the impact of the GDPR is likely to vary greatly from business to business, depending on the nature of your work and the jurisdictions you operate in. Our team is available to provide tailored advice to assist your business in ensuring your policies, procedures and third party contracts are ready to meet the requirements of the GDPR.
Bookmark this page and read our updates for further news, or contact one of our GDPR specialists.
Our team can:
- Provide GDPR legal advice.
- Assist in the review of current policies and procedures to help identify gaps or areas where common problems may arise and where work is likely to be needed as a result of the GDPR.
- Provide tailored in-house training specific to the aspects of the GDPR that are most relevant to your business.
- Review and draft relevant contracts and policy documents.
- Review and draft privacy notices
Guide to GDPR
Read our series of practical guides to getting ready for the GDPR. We will regularly publish new issues that will help you systematically prepare.
Issue 1. Are you compliant with the current law?
The first step to becoming GDPR compliant is to ensure that your business meets the requirements set out in current law. Our team can advise you on all your current data protection obligations and help you to review whether or not you meet these. You should consider three critical actions at this stage:
1. Conduct a data protection audit and map out where there are gaps:
- review all your data protection policies and ensure that you are complying with them; and
- prepare a spreadsheet of all the personal data you hold, noting all the relevant information to identify any gaps in your data-processing activities.
2. Set out a clear action plan detailing how you will bridge those gaps: identify the key people and stakeholders (both internal and external) needed to help you achieve compliance.
3. Put a timetable together so that you can monitor your actions and progress.
Issue 2. Consent
Consent remains one of the legal bases that may be relied on to process the personal data of data subjects. There are, however, some key changes to be aware of under the GDPR.
The GDPR confirms the need for "a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing".
This means that organisations will not be able to rely on silence or pre-ticked boxes to constitute consent, and will bear the burden of proving that consent has been validly obtained. Appropriate records to provide evidence of such consent will also be absolutely essential.
The GDPR confirms that consent will not be the appropriate legal basis where there is inequality between data subject and controller or where the individual has no real free choice in giving consent. In addition, as it will be easier for data subjects to withdraw their consent, where organisations currently rely on such consent to process the personal data, they will be well advised to consider whether there is a more appropriate legal basis in the circumstances.
- Consider whether or not the consent you have in place complies with the GDPR. If not, you will need to seek consent again/rely on a different legal basis.
- Review how consent is sought and recorded and ensure that you have records of consent and that they are easily accessible.
- Ensure that your consent clauses within documents, such as employment contracts, are reviewed.
- Consider whether you process the personal data of children, and if so you will need to obtain parental consent to continue to do so.
Issue 3. Subject Access Requirements (SARs)
Under the GDPR, data subjects will have extended rights in respect of the personal data you hold about them and in the main, subject access requests will have to be complied with within one month of the request, subject to a two month extension where for example the request is particularly complex.
In these situations, it will be up to the controller to inform the data subjects of any such extension and the reasons for it within one month of the request.
Such requests will also have to be complied with free of charge unless they are manifestly unfounded, excessive or repetitive in which case you may charge a reasonable fee or refuse to act on the request altogether.
Remember that the burden of proving that the requests are manifestly unfounded, excessive or repetitive will rest on you. The curtailment of the right to charge a fee will not make a huge difference in practice (the current fee of £10 rarely covers the actual costs involved in complying with such requests), however, as the current time limit for responding to subject access requests is 40 days in Jersey, and 60 days in Guernsey, the reduced time period for compliance may well be harder to adapt to.
- Ensure that you have processes in place to deal with subject access requests.
- Delegate responsibility for dealing with such requests.
- Draft appropriate policies and provide appropriate training so that staff know what to do in the case of such requests.
- Consider conducting a cost/benefit analysis for providing data subjects' online access to their information.
Issue 4. Data Breaches
Watch this space for Issue Four of our GDPR readiness practical guides programme.