27 FEB 2018
With the General Data Protection Regulation (GDPR) shortly to come into force, Alexandre Euverte and Noirin McFadden advise businesses on how to ensure compliance.
On 25 May, the General Data Protection Regulation (GDPR) will enter into force and replace the Data Protection Directive 96/46/EC as the personal data protection regime in Europe.
With the dramatic increase in the maximum penalties for non-compliance – which is now the greater of €20m or 4% of worldwide turnover – early planning is essential to ensure businesses comply in time.
The greatest challenge created by the GDPR is the principle of accountability, requiring organisations to demonstrate their continuing compliance. They must be fully aware of their data-processing activities, including knowing what personal data is processed, where it originates or is sent, and the legal basis for dealing with it.
Organisations will need to be able to show the data protection regulator and individuals whose data they hold how they comply, on an ongoing basis, by providing evidence of policies and processes, effective internal and external controls, among other measures.
Accountability means organisations must exercise extra care when creating products or services that entail processing of personal data by ensuring that these are designed with data protection compliance in mind, that is, privacy by design. Similarly, organisations must ensure that they always process personal data in accordance with the data protection requirements, that is, privacy by default.
To demonstrate that they do so, organisations may have to carry out privacy impact assessments before processing data using new technologies, to review not only the risks to individuals generated by such processing but also their remediation procedures.
Businesses can take the following steps now to ensure they are compliant when the GDPR comes into effect:
The GDPR requires organisations to keep detailed records of the personal data they collect and process. Most will need to carry out an organisation-wide audit of their data-processing to ascertain what personal data they hold, where this originates, what the organisation does with it, with whom they share it and for what purposes, as well as how the rights of the individuals are enforced. This information should be documented in a record of processing.
Internal policies and procedures should be checked to ensure that they meet the requirements of the GDPR. For instance, staff handbooks should be kept up to date in terms of personal data collected from employees, and a written and comprehensive information security programme should be in place to protect the confidentiality and integrity of personal data held. The organisation’s contracts with suppliers and customers ought to be checked as well to ensure that appropriate provision is made to protect personal data, allocate the risks of liability, and enable cooperation between parties to demonstrate compliance.
Organisations that regularly and systematically monitor data subjects as part of their core activity or that process sensitive personal data on a large scale will need to appoint a data protection officer (DPO). The organisation should also consider whether the DPO should be internal or external, and ensure that the role is at a sufficiently senior position in the management structure.
It is likely that organisations will need to amend their existing privacy polices and notices to cover the higher standard set by the GDPR, and, in particular, to inform people about their privacy rights and any data retention periods, among other relevant information on how their data is processed. Different policies are likely to be required to cover the processing of personal data on clients, employees, suppliers and marketing contacts. In each case, the policy needs to be accessible at every relevant collection point, such as websites and application forms.
A new requirement introduced by the GDPR is that organisations must notify the data protection regulator of certain personal data breaches without undue delay and, where feasible, within 72 hours. Organisations should ensure that they have in place appropriate data breach response plans, which may require internal reporting structure changes as well as staff training. It is also advisable to ensure that contracts with the suppliers and partners who have access to the organisation’s personal data contain obligations to report any data breaches promptly, as well as access to the relevant information to make an effective notification to the regulator.
As RICS professionals or stakeholders of your own organisation, you will be affected by the GDPR – whether as individuals benefiting from new or strengthened rights, or as data controllers with responsibilities for implementing measures to ensure your organisation complies with the new rules.
This article was first published in The Property Journal (March/April 2018)