As the implementation date for the General Data Protection Regulation (GDPR) fast approaches, businesses may be wondering whether they have done enough to prepare for the May deadline.
The Information Commissioner's Office (ICO) has stated that although 25 May is the date the legislation takes effect, GDPR preparation doesn't end on this date; instead, it should be an 'ongoing journey'.
Businesses should continue to develop their compliance programmes over the coming months and understand the risks of getting things wrong.
1. Lawful processing
In order for any data processing activities to be lawful under the GDPR they must meet one of the legal bases outlined in Article 6. Firms must be able to identify the legal basis they are relying on to process different types of personal data and it is advisable for this to be documented in a central record of processing activities.
A procedure should also be established for adding any new types of data processing activities – for example, if a new service offering is developed.
Knowing which legal basis is being relied upon is key for two reasons.
Firstly, under transparency requirements, businesses must inform individuals of which one applies. As such, privacy notices need to be updated to include an explanation about this.
Secondly, legal rights depend on the legal basis being relied upon. For example, data portability only applies if the legal basis for processing is consent or contractual necessity. This makes it vital for businesses to know which legal basis is being relied upon before putting procedures for complying with GDPR requests in place.
Since the GDPR raises the bar to a higher standard of consent, firms should carefully review all processing where consent has been identified and consider the use of an alternative basis (for example, legitimate interests) wherever possible.
If firms get their consent mechanisms wrong, they could face substantial fines and the ICO has warned that there will be no 'grace' period after 25 May.
2. Individuals' rights
The GDPR significantly enhances the rights of individuals, with an extended right of access, a right to rectification and new rights to data portability and erasure of data.
Where an individual exercises any of these rights, the business must be able to respond without undue delay and, in any event, within one month.
It is important therefore to provide ongoing staff training on the procedures to follow when dealing with individuals' GDPR requests.
Businesses should also carry out a risk assessment to ensure that each of their systems have adequate functionality to search, access, restrict processing, delete or rectify personal data held in that system.
Each system will also need to be able to transfer the personal data to another controller in a “commonly used electronic format”, as required by the data portability requirements of the GDPR.