Best Practice Under the General Data Protection Act
On the 25th of May 2018, the EU’s General Data Protection Regulation (GDPR) will become law. It is therefore crucial for organisations and businesses to be fully informed as to what are GDPR best practices. Failing to put these GDPR best practices into action may result in a business being ruled to be non-compliant with the new Regulation, the consequences of which being weighty fines or sanctions. Clearly, no company will want to risk that.
Obviously, a GDPR compliant business will also have the additional benefit of maintaining the trust of customers who will be reassured to know that their personal data is adequately protected. At the end of the day, nobody would like to learn that their personal data had been compromised. What, therefore, are the GDPR best practices that every business should adopt before May 25th, 2018?
Inform yourself about the GDPR
The first step to take is to ensure that you are fully informed as to what changes the GDPR will make. This allows your colleagues and yourself, to grasp the new policies that you are obliged to respect. A key goal of the GDPR is to give people who live in the European Union more say over the manner in which their personal data is dealt with. Just like before, individuals have the right to request to view any of their data that is being held, via a system access request, or “SAR”. The GDPR, however, has limited the maximum processing time for such requests to 40 days. Individuals will also have the right to request that their personal data be modified or deleted, other than when it can be argued that there is a legal justification for its retention.
An additional objective of the GDPR is to make certain that the protection of personal data is effected in a uniform manner throughout the European Union. Even though individual DPAs will have room for manoeuvre in some domains, e.g. imposing fines, there is an expectation that they will communicate and liaise together. This should result in a new uniformity to data protection management across all EU member states.
Comprehend the implications of GDPR for your business
It is all well and good knowing why the EU has created the GDPR, but no business can possibly hope to be fully GDPR compliant if it does not have a full understanding of how it is going to be affected by the new Regulation. A large number of businesses are under the impression that they are exempt from GDPR compliance. But is that really the case? The majority of online businesses will indeed be affected by the changes. The following facts may be relevant to your business:
- All businesses that process the personal data of European Union residents must comply with GDPR. This is not just applicable to Europe-based businesses, but to businesses worldwide.
- Any business which employs at least 250 people needs to hire or appoint a Data Protection Officer (DPO).
- GDPR is not merely applicable to those businesses which have workforces of at least 250 people. Smaller businesses also need to be GDPR compliant if they are involved in the regular processing of personal data, or if they process sensitive data (the definition of “sensitive data” being found under Article 9 of the GDPR).
It is crucial that you are aware of how GDPR affects your business, and that you familiarise yourself with it. Without this knowledge, you will not be in a position to ensure that your business is adequately prepared for the introduction of the GDPR.
Carry out an audit of any data you hold
The advent of the GDPR has brought a number of changes to the existing rules of personal data processing. A very significant change concerns consent. From May 2018, data subjects must give informed consent in order for their data to be used for a defined purpose. The only exception is when it can be demonstrated there is bona fide legal reason for the personal data to be held and/or processed. A definite action has to be taken by data subjects in order for them to giver their consent. The previous common use of pre-checked tick boxes is no longer acceptable.
Your business needs to make sure that all of the personal data it holds has been audited so as to guarantee that all of the requirements, including those concerning revised consent standards, of the GDPR have been met.
Create work systems for managing data
All businesses should know precisely what personal data they hold and process, where that data is stored, how they obtained it, whether or not the need for the retention of the data still exists and which member of staff is in charge of the management of the data. For this reason you must develop mechanisms for your company which will satisfy all of these requirements.
E.g. when thinking about GDPR best practices, it is advisable that a business keeps data solely relating to the purpose it was originally obtained for. Should that reason no longer exist, the data should be immediately deleted, other than in circumstances where the business has another legitimate legal reason for processing it. Regularly deleting data that is no longer required is beneficial to a business; the smaller the amount of data that is held, the smaller the risk to a business in the unfortunate event of a data breach.
Verify that reporting processes are GDPR compliant
Following the introduction of the GDPR, businesses will need to be capable of proving that they are compliant with it. To do this, businesses should keep detailed records of policies and procedures, together with the checks and verifications that they regularly make.
Given that it will be insufficient for a business to merely appear to be compliant, this is a hugely significant aspect of GDPR best practices. All businesses will have to be in a position to furnish sufficient documentation to the Data Protection Authority (DPA) in order to prove compliance. Failing to do so may result in the imposition of a fine or other sanctions.
Evaluate the risk level of data you already hold
Risk assessment is sure to be a significant part of GDPR compliance. All businesses need to perform a risk assessment of the data in their possession, and of the way in which they manage said data. It is advisable to use Protection Impact Assessments (DPIAs) in order to calculate the magnitude of risk and the possible damage that the business could sustain because of the personal data it holds. Each business is responsible for ensuring that it identifies and mitigates against risk.
When considering GDPR best practices for a particular business, one should be alert to the fact that action must be taken where it appears that mitigation is impossible. In these circumstances, the business must confer with the relevant DPA, prior to processing the data. It is, of course, anticipated that scenarios like this will be infrequent if not rare.
Appoint a Data Protection Officer
Any business that is involved in the processing of data, has a workforce of 250 people or more and processes personal data, must have appointed a DPO by the time the GDPR comes into force. It is very probable, therefore, that there will initially be a distinct lack of qualified DPOs. It should be noted, however, that the GDPR provides no stipulation as to how DPOs be qualified. This means that companies have the option of moving an existing employee into the position.
A pre-requisite for all DPOs, however, is that they benefit from a detailed knowledge of the new Regulation. They must also be capable of developing systems to manage and protect the personal data that is in the possession of the business. That is to say that it might be obligatory for the individual who takes on the role to take a GDPR training course. Should your business intend to transfer a current employee into the DPO position, you must first make sure that the necessary training has been completed in advance, to ensure GDPR compliance.
An alternative option is that a business can decide to use a 3rd party DPO. With either option, GDPR good practices must be respected at all times. It must be noted that the 3rd party DPO is also considered as a business that processes personal data. This is to say that the 3rd party also has to be GDPR compliant, meaning that all businesses need to be prudent that this is acknowledged and confirmed when agreements are signed.
Train staff in GDPR best practices
This article is designed to consider GDPR best practices, from the perspective of those businesses that will be affected by it. Nonetheless, it is not only CEOs, managers or DPOs who should be aware of the best practices described above. Everyone who is employed by such a business, and engages in the processing of data, needs to be well versed in the impact of the GDPR.
All employees should receive GDPR training so that they are equipped to respect the new rules and regulations which will ensure that the business, as a whole, is GDPR compliant.
Develop a functional reporting plan for potential data breaches
Action must be taken to make sure that your business is GDPR compliant, thereby avoiding any problems with the data that it processes. Even the most diligent and fully GDPR compliant business, however, can suffer a data breach. A data breach has the potential to be enormously damaging, particularly when a very large, international company is concerned. This is the main reason for which the GDPR requires that data breaches be reported within 72 hours of the event.
Your business needs to put a comprehensive plan in place to deal with data breaches should they occur so as to ensure that they will be properly reported within the 72 hour time frame. It is really a question of hoping (and working towards) the best case scenario, while at the same time preparing for the worst.
Some media reports have indicated that a large number of businesses believe that they are not yet sufficiently prepared for the GDPR’s introduction in May 2018. This is rather alarming, as businesses which fail to comply can be hit with heavy fines and sanctions. It is time for all business to take immediate action to ensure that they will be ready.
This article has advised as to some of the GDPR best practices that your business should consider implementing in order to be ready for the change in the law. The adoption of these best practices could help your company to be prepared in advance of May 2018, and to remain fully GDPR compliant in the future.