Increased obligations, higher penalties
The principles of the GDPR identifying how personal data should be handled and used are largely based on existing data protection law – for example, personal data should only be used fairly and lawfully and should not be kept for longer than necessary.
However, the GDPR also introduces various new obligations, such as the requirements to:
- ensure that personal data is processed “transparently” – this involves providing individuals with much more detailed information about how you handle their personal data;
- build in data protection “by design and default” – effectively, putting data protection considerations at the heart of your processes; and
- “demonstrate” compliance – i.e. it’s not enough for a company to comply with the law, it must also be able to provide evidence that it has done so.
The importance of compliance is underlined by the significant potential penalties for breach, including fines of up to 20,000,000 Euros or 4% of an organisation's global turnover, whichever is higher. European guidance on enforcement of the GDPR states that national regulators will have discretion about the fines they impose, but emphasises that any penalties must be effective, dissuasive and proportionate. The GDPR will be enforced in the UK by the Information Commissioner’s Office (ICO).
What about Brexit?
Brexit does not change the position, or mean that we can ignore the GDPR. This is because the GDPR will apply directly in the UK before we leave the EU, and the Data Protection Bill that is currently progressing through Parliament is intended to bring the GDPR into domestic law in readiness for our exit.
Steps towards compliance
The GDPR regime is so onerous that achieving full compliance by 25 May is unlikely to be possible for most companies. But it’s nonetheless imperative that companies take steps to get as close as possible to compliance as they can, as soon as they can.
The first step, if companies haven’t done so already, is to conduct an audit to understand (among other things) what personal data they process, for what purposes and on what legal grounds. The audit should cover not just HR/employee personal data, but all personal data processed by the company, including, for example, personal data belonging to customers, suppliers, website users, and the general public. The results of an audit can be used to help companies to produce their most essential GDPR documents, which we strongly recommend putting in place in time for 25 May. These are:
- Privacy Notices informing individuals how the company uses their personal data (it would be appropriate to have separate privacy notices for different types of data subject, e.g. employee, customer, etc. as the uses of their data will differ)
- Retention Policies explaining how long the company might keep individuals’ personal data
- A Data Protection Policy explaining how the company complies with its GDPR obligations and how it expects employees who handle personal data in their jobs to comply
- A Record of Processing detailing how the company uses personal data (this is an internal document but must be shown to the ICO on request)
Companies should also ensure they have access to a Data Protection Impact Assessment (DPIA) template, which will help them to comply with their obligation to assess data protection risks in relation to certain data processing activities.