At a glance
- The General Data Protection Regulation (GDPR) is due to come into force on 25 May 2018
- GDPR represents an important strategic risk for all organisations, requiring significant action in order to remain compliant
- We look at GDPR’s key provisions and how you can prepare
The countdown has begun to the European General Data Protection Regulation (GDPR). Coming into force from 25 May 2018, this major piece of legislation establishes a new legal framework for the management of personal data.
Significant work is required to ensure compliance by the 2018 deadline, and organisations should already be well under way in their preparations.
We look at what steps organisations should be taking now in response to GDPR and how you can help them in their preparations.
GDPR at a glance
GDPR represents the biggest shake up of data protection laws in 20 years. It is a Europe-wide piece of legislation, applying to all European Union (EU) Member States.
The UK government has confirmed that the decision to leave the EU will not affect organisations’ need to comply.
GDPR makes a number of important changes to our existing framework (currently governed, primarily, by the Data Protection Act 1998), including:
- Wider scope – applies not only to organisations established in the EU, but also those outside who process certain types of personal data
- Operations – organisations must adapt a privacy by design approach, demanding a comprehensive review and enhancement to all systems, processes, products and services to meet GDPR standards
- Sanctions – tougher enforcement and significantly higher fines of up to €20m or 4% of group turnover
- Wider definition – personal data covers any identifiers relating to a person, including location data, IP addresses and cookies
- Lawful processing – GDPR raises the bar on when organisations can lawfully collect and process personal data
- Consent – new rules on what constitutes consent (in particular, the need for active, not passive consent) and the need to refresh consent for any existing data that does not meet GDPR standards
- Transferring – stricter conditions for when data can be transferred between entities, particularly outside the EU
- Breach notification – new requirements and tighter deadlines to notify both supervisory authorities and affected persons of data breaches
- Subject rights – greater rights for data subjects, including rights of erasure of erroneous data
- Internal governance – requirement for certain organisations to formally appoint a Data Protection Officer, including prescribed duties and responsibilities
- Accountability – a large focus on the need to evidence compliance
12 steps to preparation
GDPR is not simply a question of compliance; it requires organisations to completely transform the way they collect, store, process and share personal data.
The Information Commissioner’s Office (ICO) – the UK’s independent authority governing data protection – has issued the following 12 steps that organisations need to take now in preparation for the 25 May 2018 deadline.
- Awareness – key people in the organisation should be aware of GDPR and its implications.
- Information held – create an Information Asset Register to fully understand what information you hold, where it came from, how it is stored and who it is shared with.
- Communication – review current privacy notices and plan how you will change them in response to GDPR.
- Individuals’ rights – ensure internal procedures can respond to the new rights of individuals.
- Subject access requests – update procedures to meet new timescales and requirements.
- Lawful basis – identify your lawful basis for processing any data. Document this and update privacy notices to explain it.
- Consent – review how you seek, record and manage consent. Refresh existing consent if it does not meet GDPR standards.
- Children – understand whether you need new systems to verify individuals’ age or obtain parental or guardian consent.
- Data breaches – establish procedures to effectively detect, report and investigate breaches.
- Protection by design – familiarise yourself with the ICO’s guidance on Privacy Impact Assessments and Article 29.
- Data Protection Officer (DPO) – designate someone to take responsibility for GDPR compliance and how they will sit within the organisation. Establish whether a DPO must be formally appointed.
- International – if you process data across borders, determine your lead supervisory authority.
Many behind schedule
As the ICO’s 12 steps demonstrate, significant work is needed to prepare for GDPR. However, according to a recent survey, a quarter of organisations are either still unaware of the regulation, or have not yet begun their preparations.
“It takes anywhere from nine to 12 months for an average organisation to achieve GDPR compliance,” says Anthony Connolly, Strategic Risk Consultant at Zurich.
“With less than eight months now to go, it is a concern that so many organisations remain unprepared for this major change to our data protection laws.”
For more information on anything discussed here, please speak with your local Zurich contact.
Questions to ask
GDPR represents a major strategic risk for organisations, with a stricter approach to enforcement and higher penalties for non-compliance.
The following questions can help assess preparedness for GDPR:
• Is your GDPR implementation plan on track for 2018?
• Do your key people have a sufficient understanding of the requirements of GDPR and have been provided with suitable training?
• Do you have an Information Asset Register that identifies high-risk data processed by the organisation?
• Does the organisation have the capacity to respond to a potential increase in requests within the reduced timescales of GDPR?
• Do you have effective processes and procedures in place to detect, report and investigate data breaches?
• Have you appointed a Data Protection Officer who reports to the Executive Management Team / Board?