Once GDPR comes into effect on the 25th May businesses must ensure ongoing compliance. The ICO outlines in their overview of the new regulation that they intend to inspire a culture of data protection “by design and default” throughout businesses. Pressure will be on data controllers to illustrate their active consideration towards the legality of any processing activity they undertake, ensuring that they are compliant to the 6 processing principles. Going forward the emphasis on businesses is in their transparency.
Manage consent issues
With the new rights of data subjects comes a higher chance of individuals wanting to withdraw their consent for processing activities or totally delete the data held about them, businesses must respond in order to be compliant and avoid fines.
Under the new rights, GDPR also states that organisations may only hold on to personal information for as long as is necessary to fulfil the intended purpose of collection. Therefore it is important that a system is in place to monitor retention periods and enforce the deletion of such information once the time period has passed. We would recommend forming a data retention policy which outlines to the subject, the justifications for holding onto any information. When drafting these policies the organisations will need to consider whether there is any law or regulations which oblige them to hold onto some of that data for specified periods. One example includes the retention of financial data for auditing purposes. While this is permitted, transparency is still the key here, so companies should make their purposes clear.
Remember that the data subject can also request the deletion of any information held about them, at any time so the controller needs to comply and confirm deletion from their own systems, or any third party systems.
Report data breaches
If your company encounters ANY personal data beach under the GDPR, it must be reported to the ICO within 72 hours, if it risks the rights and freedoms of data subjects. If the risk is high, breaches must also be reported to the data subject in a clear and concise way that outlines exactly how their rights have been breached.
Data protection impact assessments
If a processing activity is likely to result in a breach or if processing will be systematic and extensive, a data protection impact assessment must be carried out. The document should contain a description of the processing activity; an assessment of its necessity and proportionality to the purpose of the activity; a risk assessment surrounding the data subject, and a description of what controls have been put in place to eliminate the risk.
With fines set at €20 million or 4% global revenue, these processes cannot be an after-thought. Make sure your business is GDPR complaint before May and the necessary protocols are rehearsed. For more information about how to prepare, visit our other blog post: What to do Before GDPR comes into effect.