What is the GDPR?

The General Data Protection Regulation (GDPR) is a piece of legislation which will overhaul data protection law in the EU. It comes into force on 25 May 2018 and will harmonise EU data protection law. (In the case of the UK, the principles enshrined in the GDPR will continue to apply post Brexit by virtue of the European Union (Withdrawal) Bill).

There is a lot that could said about the GDPR but this article highlights the data protection principles and the practical steps organisations can take to prepare themselves before May 2018.

Throughout this article, we use the term ‘personal data’. Personal data means any information relating to an identified or identifiable living individual. This is a broad term which includes identification by reference to a name, identification number, location data, an online identifier or to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

How does the GDPR differ from current, national data protection laws?

The GDPR is wide-ranging. Not only will it impact nearly every organisation that is based in the EU, but it will also apply to non-EU organisations in certain circumstances.

The GDPR imposes greater compliance obligations on data controllers and data processors, and it gives data subjects more powerful rights to enforce against them.

The data protection principles

There are seven data protection principles. Most of these will already be familiar, but the GDPR will impact their scope in varying degrees.

  1. Fair, lawful and transparent processing. Personal data must be processed in a way that is fair, lawful and transparent to the data subject. This means that organisations must tell individuals what personal data they are collecting, why they are collecting it, what it will be used for and how long it will be kept for. They must also be informed about their various rights. All of this information must be covered in an organisation’s privacy policy.

    It may not always be practical to present a single document (such as the privacy policy) to an individual in order to communicate how you will be using their personal data. In these cases, short statements known as fair processing notices will be useful. Fair processing notices can feature on documents such as application forms or on first or ongoing communications with data subjects. They can summarise how personal data will be used and signpost people to the more detailed privacy policy. Organisations may wish to check what their relevant supervisory authority recommends in terms of communicating privacy information. To give an example, the UK’s Information Commissioner’s Office believes it is good practice to develop a blended approach, using more than one method to present privacy information to data subjects.

    Organisations must also create a ‘record of processing activities’ which details the categories of data subject and personal data collected from them, the purpose for processing, the condition for processing, categories of recipients, retention periods and security measures that are in place to protect their data. This is an internal document which the organisation must be able to provide to the relevant supervisory authority on request.

    In producing this record, organisations are encouraged to review the processing they carry out the identifying a lawful basis for all their data processing activities. If the basis is consent, the organisation should review how consent was obtained and clear any names from its database where it cannot prove how consent was obtained. Under GDPR, consent must involve an affirmative action by the data subject, be clearly presented and be as easily revoked as it is given.

    Finally, if the organisation shares personal data with third parties, it must explain this in the privacy policy and review (or implement) any data processing agreements it has in place with the third parties.
     

  2. Purpose limitation. The data subject must know the purpose for which you are collecting their data, at the point of collection. Before you use this personal data for another purpose, you must consider whether it is compatible with the original purpose for which it was collected.
     
  3. Data minimisation. The personal data your organisation collects must be limited to the purpose for which it is processed. In other words, don’t collect absolutely everything about the data subject.
     
  4. Accuracy. Organisations must ensure that the personal data they process is accurate and, where necessary, kept up to date. They must also take reasonable steps to ensure that any inaccurate personal data is erased or rectified without delay.
     
  5. Storage limitation. Organisations must ensure that personal data is kept in a form which permits identification of data subjects for ‘no longer than is necessary’ for the purposes for which the personal data is processed. To comply with this principle, organisations must review their data retention policies (or produce one). They must also be prepared to justify their reasons for retaining personal data for the periods they have selected.
     
  6. Data security. Organisations must use appropriate technical or organisational measures so that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures would be set out in an organisation’s IT security policy. Finally, organisations must also have procedures in place for detecting, investigating and reporting data breaches.
     
  7. Accountability. The GDPR introduces an overarching accountability principle, which requires organisations to demonstrate compliance with all of the principles. In doing so, organisations must:
  • set out the direction for data protection compliance in a framework of policies and procedures. This would be covered in a data protection policy, which is an overarching, internal policy which cross refers to all the other policies. One of its purposes is to inform staff about, and to direct them to, the various policies adopted by the organisation;
  • monitor compliance with their policies;
  • implement data protection training for all staff;
  • implement appropriate technical and organisational measures to show that it has considered and integrated data protection into its processing activities (otherwise known as ‘privacy by design’, which includes carrying out a Privacy Impact Assessment to identify and reduce privacy risks of any projects adopted by the organisation); and
  • appoint a data protection officer or designate lead responsibility for data protection compliance to a suitable individual within the organisation.

Action points

The requirements under the GDPR may seem overwhelming and extensive, and organisations might not know where to start. In advance of 25 May, the key actions and deliverables for organisations to focus on include:

  • creating a detailed record of data processing activities;
  • revising or issuing privacy policies and notices;
  • adopting a data protection policy;
  • amending existing or creating new data processing agreements with third parties;
  • reviewing or issuing an IT security policy;
  • implementing a procedure for managing personal data breaches;
  • ensuring all parts of the organisations are aware of the privacy by design requirements and implementing a Privacy Impact Assessment process; and
  • training staff and testing systems.

Consequences of non-compliance

The GDPR dramatically increases fines for non-compliance. The maximum fine for a single breach is the greater of EUR 20 million or four per cent of annual worldwide turnover.

That being said, there is still sufficient time for organisations to get in shape and achieve compliance.

Communications

Whilst there are undoubtedly some serious organisational changes required, cultural and behavioural change is needed as well. Teams will have to know what they can and cannot do under the new regime. That makes the communications of critical importance. Training and regular engagement needs to be the order of the day.

But more than that, organisations also need to consider what to do if they themselves identify failures and breaches. What should individual employees do? Are they aware of what the policies and procedures require in practice?

And what happens if organisations get this wrong? Individual regulators will undoubtedly be on the look-out for breaches: so someone has a crisis just waiting to happen. As with any such problem, the more preparation that can be done the better. So the communications teams need to understand what steps have been taken to adapt to the “new world" and detailed records of all the changes, training, education and procedures need to be kept.

Those that choose not to take GDPR seriously are taking a huge gamble with their reputations, finance and careers. Those dealing with it properly need marketing and communications professionals, and lawyers, working together. That is not always without its own challenges.

This article was originally published in Communication Director.