Explore Some of the Best Practices for GDPR Compliance in this new Dun & Bradstreet White paper, Commissioned by the CICM
The countdown has begun. The General Data Protection Regulation (GDPR) comes into effect throughout the EU in May 2018, bringing data protection legislation in line with new, previously unforeseen ways that data is used. It is the culmination of four years of work by the EU and replaces the current Data Protection Directive adopted in 1995.
The GDPR introduces tougher fines for non-compliance and breaches, gives citizens more say over what organisations can do with their data, and aligns data protection rules across the EU. Brexit will not be a barrier to the UK’s participation in the GDPR either. The UK will still be subject to the EU law, and the UK Government has signalled its intention to observe it following Brexit.
So what remedial steps can your organisation take to prepare for the May 2018 deadline? This new Dun & Bradstreet white paper, commissioned by the Chartered Institute of Credit Management, offers sage advice to help plan for GDPR compliance.
1. Know your data protection definitions
The main definitions of the current Act will generally remain unchanged under the GDPR. If you have a good understanding of the concepts of “personal data,” “sensitive personal data,” “controller,” and “processor,” for example, you can transfer those to your understanding of the GDPR.
There are some caveats, though. For instance, “sensitive personal data” now includes biometric and genetic data, but excludes criminal convictions. Moreover, “processors” now have legal obligations under the GDPR, and organisations should understand what those responsibilities are and distinguish them from the duties of the “controllers.” And while the definition of a data subject has not changed with the GDPR, it’s worth ensuring the extent of what constitutes a data subject is properly captured.
2. Know your ground of processing
The ground of processing your business currently relies upon will most likely be the same under the GDPR. “Legitimate business interest” – the most commonly used ground in the UK – remains present in the GDPR, and will be extended to other countries that have so far not incorporated this concept into domestic legislation. Take care, though, to ensure you are properly executing the ground you are relying on, as the GDPR places new or increased obligations here.
Processing under legitimate interest, for example, must be balanced against the rights of the data subject, and businesses will need to record why they consider that their legitimate interests are not overridden by the interests of the data subjects. The GDPR also clarifies that “affirmative consent” is required for consent to be valid. In other words, silence, pre-ticked boxes, or inactivity can no longer be construed as consent. Make no mistake, data protection authorities will take a dim view of businesses that ostensibly process on consent.
3. Know your high-risk activities
Under the terms of the GDPR, organisations need to adopt a risk-based approach to data processing activities. In relation to security, there is the obligation to carry out a privacy impact assessment to determine the level of risk of a particular activity. In practical terms, this generally means a business needs to assess all of its activities to identify those that are high-risk—a potentially time-consuming exercise.
4. Know when to notify of a breach
If you are processing data within the EU and a data breach occurs that could result in harm to data subjects, your organisation is legally obliged to notify the local Data Protection Authority. However, not all breaches require notification, and the time frame (72 hours) could be very difficult to achieve. Review your breach management procedures to be safe.
5. Know which rights your data subjects have
All current data subject rights will remain in place, and most are being expanded. To manage these data subject rights, you need to focus on providing correct and detailed fair processing notices, streamlining subject access requests, ensuring efficient procedures to manage “rectify and erasure requests,” as well as restrictions on processing when a subject has raised a rectification query that has not been resolved.
6. Know your profiling
Profiling is a form of automated decision making that relies on personal data (credit scoring, for example). Data subjects do not have the right to avoid being profiled, but they do have the right not to be subjected to a decision based on purely automated profiling.
The white paper provides numerous guidelines on profiling safeguards. Among them are the need to:
- Notify the data subject when the data is collected that profiling will occur, the logic involved in profiling, and the envisaged consequences of the profiling
- Respond to data subjects inquiring whether they have been profiled and the consequences
- Have the automated decision reviewed by a human if requested by the data subject
7. Know your international data transfers
Companies with subsidiaries inside and outside of the EU should note the inclusion of Binding Corporate Rules (BCRs) in the GDPR — a mechanism for intra-company transfers around the world. Bearing in mind the current threats to other mechanisms such as standard contractual clauses and the Privacy Shield, BCRs will be an attractive option to many companies after May 2018.
To discover more on the best practices for effective GDPR compliance read the full white paper.