Legal briefing | 01 May 2017 |

The countdown to GDPR begins

1 year to go until the "game-changing" new EU data protection law comes into force

The new EU General Data Protection Regulation will come into force in the UK on 25 May 2018 and, for various reasons, the Regulation (or something like it) is likely to remain a part of English law regardless of Brexit. The new UK Information Commissioner, Elizabeth Denham, was quoted in January saying "make no mistake, this one's a game changer for everyone".

Day one compliance is required. Businesses should now consider the issues and changes they will need to make and use the next twelve months to put them into effect, e.g. in terms of their procedures, systems and technology, in order to be ready. Some of these may involve substantial lead times, not least if transition is to be effected in an economical manner. The imminent arrival of the Regulation makes the ICO's list of 12 preparatory steps to take now even more pertinent. We summarise this below, with our own commentary.

Awareness

Decision makers in your business need to know that important changes are coming, because of the impact on e.g. operational effectiveness, costs and risk. In the past, data protection has often been left to legal and IT teams but it should no longer be viewed as just a mild inconvenience. Rather, it should be on the agenda at board-level for all businesses and budget should be set aside for compliance.

Data mapping

An essential starting point will be to map your use of personal data, e.g. what you hold, why and where you hold it, how long it is kept for and who you share it with – and how the picture may look in 2018 and beyond. Only by having a reliable and up-to-date picture will you be in a position to start planning your GDPR compliance programme.

Can you show consent?

In many cases you need data subject consent to your use of their data. The requirements surrounding obtaining and being able to demonstrate consent to your use will be much tighter (particularly in direct marketing, use of online behavioural advertising etc – for instance "opt out" boxes will no longer be acceptable). As well as updating your IT systems to facilitate this, you may need to reconsent your marketing database and update privacy notices in time for May 2018.

Is your processing justified?

You will also need to show why, legally, you are justified in holding and using each set of personal data. This will need careful analysis to make sure that where you want to use data for business purposes the necessary conditions are satisfied to legally justify its processing under GDPR.

Changes to IT systems?

The new rules could mean that your websites will need re-building to ensure appropriate consents to your use of personal data and cookies are obtained. You may need to update your supporting IT systems to ensure that you can demonstrate consent if challenged.
Data cleansing and the "right to be forgotten": you will want your systems to be capable of supporting easy rectification (or erasure) of data and (as now) suppression of direct marketing where this is requested.
Portability: individuals will have a right to data portability in a commonly used machine readable format and to transfer it to other service providers. How will you do this?

Data protection by design, and privacy impact assessments

What is currently a recommendation from regulators will move to become binding law. You will need to show that your internal processes implement "data protection by design and by default" (e.g. the principle of data minimisation: only collect, use and retain data you need). Both existing and new types of processing may need you to carry out a privacy impact assessment where there is a high risk to individuals. Careful planning will be needed to embed this in corporate cultures.

Contracts

Not an issue raised by the ICO, but also important: if you are entering into arrangements which may still be in place in May 2018 under which you share personal data with others (joint controllers, data processors etc), you will need to consider how to "future proof" the contract terms so that you can make sure that all necessary changes are made in time, to keep you compliant.

What else?

The ICO list of things to do now contains a number of further steps which you may feel are less urgent, or which may be of more limited relevance to your business. These include (a) updating existing procedures for dealing with subject access requests; (b) if you deal with children, the rules are getting tighter, e.g. how will you verify ages? (c) there will be a legal duty to report some data breaches within a short timescale; (d) some businesses will need to appoint a data protection officer; and (e) if you operate internationally (and depending on your structure), there may be decisions to be made about which lead supervisory authority you will come under (the so-called "one stop shop") as well as needing to review how transfers of personal data outside the EEA will continue to be permitted. In addition, if your business is that of data processor, you will now have direct obligations to the regulator and to data subjects, in a way which hasn't previously been the case.

Inevitably this is a very short summary. We will be providing training on what it all means in practice. Please ask one of the partners listed below if you would like to a have a bespoke training session for your business.

Read Louisa Chambers Profile