The new EU General Data Protection Regulation (GDPR) was finalised and published earlier this year, and will come into effect in full on 25 May 2018.
The GDPR constitutes the biggest change to the data protection regime in the EU since the 1995 Data Protection Directive, and introduces fundamental changes to the EU data protection regime, some of which will have a profound impact on many organisations that collect and use information about individuals.
This article covers the following aspects:
- a brief reminder of what GDPR is;
- the likely effect of Brexit on the implementation of the GDPR in the UK; and
- how to go about preparing for GDPR over the next 18 months.
While 18 months may feel like a long time, in practice time is now quite short, in particular where IT or systems changes will be required to achieve compliance.
What is the GDPR?
The GDPR will replace the UK’s Data Protection Act 1998 (DPA) (and other laws enacted across all Member States to implement the EU Data Protection Directive 1995). Other laws covering data and privacy issues will continue in force, although work has started separately to assess if and how the e-Privacy Directive, which has been implemented in the UK as the Privacy and Electronic Communications Regulations 2003 covering data and marketing, will be updated.
Key changes introduced by the GDPR include:
- the harmonisation and further development of data protection regimes across the EU;
- the implementation of updated and revised data protection principles, with a greater focus on transparency, data minimisation and accountability;
- increased rights for data subjects, including new rights to erasure and data portability, together with increased rights for claims by or on their behalf in relation to breaches;
- the application of the data protection regime directly to data processors;
- a focus on data protection by design and default;
- an emphasis on keeping full records in relation to data;
- enhanced security obligations and breach notification requirements;
- more prescriptive provisions around using data processors;
- the extension of the regime to apply to non-EU businesses that operate in the EU (in line with EU e-commerce and consumer laws); and
- the potential for businesses to be fined EUR 20 million or up to 4% of their worldwide turnover for serious violations of the GDPR.
In many respects, the GDPR is an evolution of existing UK data protection law rather than a revolution. However, the importance of preparing and ensuring compliance with the new law cannot be understated, in part because of the potentially significant consequences of getting it wrong – whether that be huge fines, claims by affected data subjects, or the reputational damage.
Perhaps more importantly, there are other business benefits for those organisations that use the changes as an opportunity to adopt a fresh approach to thinking about data privacy and protection – not just as a hurdle to business or additional burden, but also as a way to build and enhance trust with their customers and employees.
What will Brexit mean for the GDPR in the UK? Will I still need to comply?
The impact of Brexit on the implementation of GDPR in the UK is currently uncertain. However, since the UK’s EU referendum vote in favour of Brexit, the Information Commissioner’s Office (ICO) has confirmed that having clear data protection laws with safeguards in place is more important than ever given the growing digital economy. At this stage, the ICO has said that it will be speaking to the UK government to present its view that reform of the UK law remains necessary.
Whilst the timetable for Brexit is uncertain at the time of writing, it seems likely that the GDPR will continue to apply to the UK as expected from 25 May 2018. The rationale for this is as follows:
- The GDPR has direct effect within all EU Member States, so by default, it will apply directly in the UK from 25 May 2018, without the need for implementing UK legislation and regardless of possible on-going negotiations concerning Brexit.
- There are many factors that could potentially influence the default implementation of the GDPR on 25 May 2018, but on balance it seems unlikely that its implementation would be completely derailed, particularly as a result of:
- the mechanics of the Article 50 ‘trigger’: It is difficult to predict when the UK Government might trigger Article 50 and how much of the two years allowed under the mechanism for negotiating an exit would be used. If Article 50 was triggered in January 2017 and the full two years was used, then the earliest the UK could practically leave is January 2019. This would be around 8 months after the GDPR becomes law;
- the lack of political appetite to vary this default position: It is highly unlikely that any future UK Parliament would want to be seen withdrawing from what is generally regarded as a global benchmark in the regulation of data processing. The risk of the UK Parliament taking steps to liberalise data protection laws by repealing or amending the DPA or GDPR, at least until any formal withdrawal terms have been negotiated with the EU, is therefore particularly remote;
- the ICO’s position: the theme of the ICO’s statements to date has been that reform of UK data protection law is still necessary.
In the longer term, the UK is still likely to need to maintain a law similar to the GDPR, regardless of any post-Brexit UK model to ensure that data can freely move between the UK and EU in the context of on-going trading relationships.
Therefore, irrespective of whether or not your organisation has operations in other EU Member States (so that GDPR compliance would be required in any event), many clients have decided (and we recommend) to continue with GDPR compliance projects as planned.
What do you need to do to prepare for the GDPR?
In practice, there is no one-size-fits-all GDPR project plan, and the amount of work required will vary depending on a number of factors, including:
- existing obligations set out in each relevant EU Member State’s local data protection laws;
- the extent to which you are compliant with the data protection laws currently in force and how sophisticated your business is with respect to data protection;
- how much personal data you process and for which purposes, and how much of that falls into special categories of personal data;
- whether you are a data processor or a data controller;
- what policies and procedures you already have in place and how you document your data processing practices; and
- how straightforward your data processing activities are (for example, do you involve data processors? Do you export personal data outside of the EU?).
Our advice is to take stock first and then to take it step-by-step, biting off one manageable-sized chunk of the GDPR pie at a time, so that you are ready for compliance on (or before) 25 May 2018.
Step 1: Lay the foundations
Identify key stakeholders early on and, in particular, ensure that you have an executive sponsor on board to support the project through to May 2018 and beyond.
The ‘stick’ is the potential for significant fines in the event of non-compliance and the possibility that companies may be required to delete valuable data collected in breach of the GDPR.
The ‘carrot’ is that being a forerunner in your field in terms of data protection compliance can give you a significant business advantage over your competitors. In addition, some areas of the GDPR even allow businesses to be more flexible and innovative in the way that they design their data processing activities.
Review what guidance is currently available and what more is expected
The data protection authorities (DPAs) in each of the EU Member States have started issuing helpful guidance (some of which may be just as useful or
applicable in other EU Member States). In the UK, the ICO has issued its ’12 steps to take now’ in preparing for the GDPR, and an outline of its own project
plan for developing further guidance.
At a European level, the European Data Protection Board (formerly the Article 29 Working Party) has issued its work programme for 2016-2018, in which it has already set out the primary focus areas for guidance.
It will be helpful to factor the timing of any further guidance into your plan, while keeping in mind that your plan may need to flex around what that guidance says.
Agree a governance structure, allocate resources and set a budget
In these early stages, you may not know exactly how much work will be required, though you will have an idea of what teams are likely to need to be involved (Legal, IT, Compliance, HR, Marketing & Sales and so on), how much internal resource you have available and in what areas you are likely to need external support.
Think about your priorities
At this early stage of allocating resource and setting budgets, you will need to start thinking about what your priorities are likely to be, which areas of the GDPR you should focus on first, what teams will be required and when.
Your priorities will be dictated by the nature of your business, how you use personal data and the areas of highest risk. You will also need to think about how the GDPR might affect what you are doing now. For example:
- are you entering into contracts with data processors that will extend beyond 25 May 2018? If so, you will need to ensure that those contracts are GDPR-compliant, and cover off any additional risks (and liabilities) you may face in the event of a breach;
- are you in the process of developing a product or service that will involve the processing of personal data? If so, you should be thinking about ‘privacy by design’. This is one of the key concepts of the GDPR, which requires you to ensure, from the outset, that the processing of personal data is limited to that necessary to achieve its purpose, and that access to that data is limited to those who need it. You should anticipate potential challenges of this nature that you may face;
- are you using “consent” from data subjects (such as customers or employees) to justify the collection and use of their personal data? If so, data subjects may need to give their consent again, unless the manner in which the consent has been given is already in line with the (enhanced) conditions of the GDPR, which is unlikely, in many cases.
You will get a better sense of your priorities as you move through steps 2 and 3 of your GDPR project plan, so make sure that, at regular intervals, you are pausing to assess and re-assess your plan.
The aim is to be 100% compliant on (or before) 25 May 2018, but this is likely to be challenging in practice for many, so it would be sensible to focus on the most important and risky aspects first.
Step 2: Take stock and gather information
To be able to ensure compliance with the GDPR, you will need a clear picture of:
- what personal data you collect today, how you use it, where you use it, and with whom you share it; and
- what compliance measures you already have in place.
This will also help you prioritise what is important (as referred to in step 1) and to fulfil certain requirements under the GDPR, namely the obligation to maintain a record of processing activities and more generally the principle of ‘accountability’.
This is a key step and should not be rushed. You may already have established sophisticated compliance measures and have a clear (or relatively
clear) picture of how your business uses personal data, in which case there may not be too much to do. Alternatively, your business may have developed in such a way that the relevant tools and procedures were not in place to help you map this out at the time.
Remember that the way you use personal data may change during the course of your project, so there will also need to be processes in place to keep track
of any material changes.
Once you have all the relevant information, it is almost time to implement those measures that need to be taken to ensure that, come 25 May 2018, you are GDPR compliant. But before you get there…
Step 3: Pause, review and assess
…pause, review, assess where you are and where you need to get to, and identify what you need to do to get there. Once you have all the information you need, you will need to review it. The resulting ‘gap analysis’ is one of the most crucial steps on the GDPR compliance roadmap.
To a certain extent, this may involve comparing your compliance with the current law versus compliance with the GDPR. This will not, however, always be
the case (particularly if you weren’t caught by the 1995 Data Protection Directive, but are caught by the GDPR); nor should it be the focus of your assessment.
The GDPR should be seen as a standalone set of requirements. However, you should also avoid re-inventing the wheel. For example, you might have already appointed a data protection officer or have an existing process for checking data processing activities. These will be extremely valuable and may easily be adapted for GDPR compliance.
Once you have carried out that assessment, you will need to identify what you have to do to fill the ‘gaps’, and in what order you should fill them. You
may have had an idea of what remedial steps would be required back at stage 1, and an even better idea at stage 2, but now is the time to turn that idea into a plan.
Now is also the right time to assess how the GDPR might make things easier for you. It is important to keep in mind that the GDPR is not just about increasing requirements and red tape – there are also important areas in which businesses are being given more flexibility (depending on the current national regimes). Examples include:
- requirements for consent or data processing agreements: currently, several EU Member States’ laws require consents or data processing agreements to be in writing to be valid. These requirements will be waived by the GDPR so that, for example, electronic declarations will be permissible across the EU. This change might allow you to re-structure and improve your established process of collecting consents or concluding data processing agreements;
- justifying data processing activities on a balancing-of-interest test: many existing laws enshrine specific requirements for, and restrictions on, certain processing activities, such as marketing use of data, video surveillance etc., which no longer exist in the GDPR. Instead, a balancing-of-interest test applies that gives businesses more flexibility regarding the justification and the design of data processing activities.
This stage will require a thorough knowledge and understanding of both the GDPR and of your business. The GDPR will need to be considered against the backdrop of your business’s infrastructure, its ambitions, its priorities and its appetite for risk.
Step 4: Implement change
Now it is time to get started on those remedial steps and to make use of the new opportunities you have identified (and prioritised) in step 3.
Here are just a few things you may be doing at this stage:
- putting in place policies and governance structures that will allow you to comply with the various requirements of the GDPR and to demonstrate compliance in accordance with the principle of accountability;
- (re-)allocating responsibilities within your business for the various tasks under the GDPR to avoid liability;
- putting in place processes required to comply with the procedural obligations under the GDPR; for example, to notify regulators and data subjects (if required) in the event of a data security breach and to respond to data subjects exercising their rights (such as to data portability);
- rolling out a programme of training for your employees;
- making technical changes to your websites and online platforms relating to legal notices, general terms and conditions, privacy policies and forms used to collect data (and any relevant consents);
- re-negotiating existing contracts with customers and data processors (if possible), and amending your templates for future contracts; and
- refreshing your consents (if required).
Step 5: Put the finishing touches to the plan
The finishing touches are those remedial steps that were lower down on the list of priorities when you came up with your GDPR project plan. These steps are still important, but are likely to be lower risk, easier to implement and will not require such a long lead-in time.
Step 6: Follow up with on-going monitoring and maintenance
As you start to use your new policies and processes, you may find that they do not work perfectly on a day-to-day basis, or that things could be done
more efficiently. The next two years will be a learning process for your business. The key will be to be able to identify any problem areas, work to find a solution and make sure that solution is GDPR-compliant.
The GDPR, and your business, do not stand still. While it is unlikely that there will be significant changes to the text of the GDPR itself anytime soon,
we do expect to see a lot of guidance over the next two years, at a national and international level, on how it should be interpreted. We can help you to
keep on track of any updates, and understand how they may affect your GDPR project plans.
Furthermore, while the GDPR aims to harmonise the data protection laws of the EU Member States even further, national data protection laws will not be
removed completely. Rather, the GDPR allows EU Member States some scope to introduce their own requirements in certain instances. We are happy to help you keep track of any discrepancies in national laws, and explain how they affect your business.
During this time (and beyond), your business, and the way it uses personal data, may well change. As well as being compliant on 25 May 2018, you will need to ensure that you remain compliant on an on-going basis from then on. You will need the right processes in place to manage that.
For many businesses, the GDPR will require a change in mindset. Where compliance with the 1995 Data Protection Directive may have been seen as another regulatory hurdle, compliance with the GDPR should be seen as involving every aspect of a business and every person in it. This may sound like a daunting task, but doing it well should reap substantial benefits.