1 year ago


legally speaking

legally speaking EVERYONE'S TALKING ABOUT GDPR - ARE YOU? CHRISTINE JACKSON, PARTNER AT LAW FIRM WRIGHT HASSALL, OUTLINES WHAT THE GDPR MEANS FOR YOUR BUSINESS AND THE RULES AROUND STORING CUSTOMER DATA If you are an engineering company employing staff and you have commercial dealings with customers, suppliers, and subcontractors, then the new GDPR regulations, which came into force on 25 May, governing management, processing and communication of personal data, will apply to you. KEY CHANGES The Information Commissioner has gone to great lengths to reassure businesses that store and process personal data that, if they are already compliant with the current Data Protection legislation, then complying with the GDPR shouldn't be too big a step. Nonetheless, there are some key changes that may affect you. For instance, under current data protection legislation, it is the organisation with control over the data that has to comply with the rules; under GDPR, this obligation is extended to any organisation that processes data on behalf of another (for example, payroll). Another main change is 'privacy by design' whereby new IT systems must be designed to take data protection into account at the outset. The GDPR is bringing more power to the people: it will impose controls on businesses to ensure people have the freedom to take control of their personal data and how it is used. However, there are already a number of legal bases for processing data, such as needing to do so for the performance of a contract, or to comply with a legal obligation, and these will not change So, do you know what is required of your business? How did you prepare for GDPR? Do you know that the UK Bill implementing the GDPR provides for personal fines for managers, officers and directors who should know, (but choose not to), or simply don't know, what steps should be taken to comply with the GDPR? The requirements are such that responsibility for ensuring that your business is compliant should lie at board level. Below we list some initial critical (and time-sensitive) steps/considerations that you must take, if you haven’t already done so, in order to maintain on-going compliance with the GDPR: 1. Perform a data audit. An audit should involve an overview of all the personal data you collect. For example, what types of data do you process; is it shared with 3rd parties; where did you source the data; is it moved out of the EEA; and what legal grounds have you recorded for this processing? Do you have special categories of data (the 'old' sensitive personal data)? An audit is critical to understanding what you need to do to be compliant and to identify any high-risk processing or special categories of personal data. 2. Are you a data controller or data processor or both? In most cases, you will be a controller only. However, if you outsource the processing of any personal data to another business - eg, back office accounting or outsourced payroll services - you will be contracting with a data processor and so the contract must include certain mandatory provisions. 3. Consider the need for a Mandatory Data Protection Officer. Does your business have to appoint a 'mandatory' DPO? The resource is hard to find, not least because of the expertise required, specifically an in-depth knowledge of the laws in all 18 computing security May/June 2018 @CSMagAndAwards

legally speaking applicable territories. If you decide you don't need a 'mandatory' DPO, you must document your reasoning, analysis and conclusion. 4. Accountability. Data controllers must now keep a record of, and be accountable to provide on request, a wide range of information relating to the personal data processed, including (but not limited to) categories of data subjects, of data types, legal grounds for all processing activity, the data processing activity itself, location of databases, transfers of personal data, retention periods, and much more. 5. Establish the legal bases for processing the data. Examples include 'affirmative' consent (although where you can, you should be seeking to steer away from the consent-based legal basis), legitimate interest of the business or to fulfil a contract. Other legal bases also exist and must be recorded by the business. 6. Raise Awareness. All staff should receive training on the GDPR. 7. Update contracts that involve the processing of personal data by a third party. Review your existing contracts and update to include the mandatory data processor clauses. Don't forget that clauses relating to liability, compliance with laws and confidential information might also be affected or need to be revisited, in light of this important change in law. 8. Readiness for new data subject rights. How far must you go to minimise the data you hold? Consider your existing processes and IT provision adequately and, in time, respond to the data subject's requests - eg, for access to data held about them or where a data subject notifies you that it withdraws its consent as a legal basis for your processing their data. What changes/developments might be needed, so you can act fast when an individual exercises his or her right to rectify, erase, access or transfer their data? 9. Review privacy notices. These will need to be updated and are essential in complying with the transparency obligations in the first principle ("fair, lawful and transparent processing"). 10. Internal policies and procedures will need to be created, reviewed and/or Christine Jackson, partner at law firm Wright Hassall. updated. Set processes in place within your organisation, so that data subject rights are dealt with in the one month which the law allows. Include a policy that provides that new technology developments may only be entered into after careful assessment of privacy risks ('Privacy by Design'/Privacy Impact Assessments). 11. Create a Breach Response Action Plan and Subject Access Request Response Plan. Mobilise the business to act promptly, in the event of a breach (some are notifiable within 72 hours of becoming aware) or if an individual exercises his or her right to request a copy of all data you hold about that person. This can be more extensive than you may at first realise. For major breaches, the lead authority will look to see how the breach has been handled by the business, so inspections can and do happen. PART OF THE BUSINESS In essence, the GDPR needs to become part of each business in every aspect of its operations. If this is driven from board level, it will encourage the necessary culture change to ensure compliance. @CSMagAndAwards May/June 2018 computing security 19