In sales, we need to understand before we need to be understood
of all processing activities, impact assessments; and certain companies may need to appoint a Data Protection Officer to assist with these requirements, particularly where a company’s core activities involve regular and systematic monitoring of data on a large scale or consist of processing special categories of personal data 5. Data Processors now have legal responsibility as well as Data Controllers – much greater liabilities and obligations 6. Increased requirement for consent – an ‘affirmative act’ that individuals are in agreement to the processing of their personal data, in plain, nonambiguous language and not conditional on other matters – with consent recorded – and easy to withdraw 7. Consents for children under 16 – parental consent will be required for those under 13 years of age, with requirements for 13-16 year-olds varying between EU member states 8. Breach notification obligations – requiring notification to the ICO within 72 hours and where necessary to all data subjects who are affected. This will require a ready-to-go procedure and team in place in the event of a breach 9. Regulation of the Data Controller/Data Processor relationship – Data Processors (outside suppliers working for your company) are required to be ‘reliable’ – i.e. get evidence that they are compliant, engaged with a written contract and need the consent of the Controller to engage sub-processors 10. Increased Fines – under the DPA the ICO can currently impose monetary fines of up to £500,000, under the GDPR this has been increased up to €20 million or 4% of worldwide turnover (whichever is the greater) for serious breaches. The ICO has set out 12 steps to take now so that you’re ready for the GDPR next year: 1. Awareness across the organisation about personal data, with training where required
2. Information you hold – customers, suppliers, employees 3. Privacy policies – are they compliant? 4. Individuals’ rights – are all your staff aware of these? 5. Access rights – can you respond to a subject access request? 6. Lawful basis for processing personal data – can you document this in a meaningful way? 7. Consent – does the way you capture this meet a new threshold? 8. Children – are you compliant with the GDPR’s consent requirements? 9. Data breaches – have you got a team and process in place for a quick, comprehensive response? 10. Is data protection designed in to your processes? Are you thinking about privacy by design and data protection impact assessments? 11. Do you need a data protection officer? 12. International – where is your equipment or service provider located? Finally, here are six things you should be doing now to be ready for the GDPR next year: 1. Developing records of processing activities 2. Reviewing data processor agreements 3. Reviewing privacy notices 4. Reviewing consents 5. Reviewing data transfers 6. Do you need to carry out a data audit? Rebecca Collard is a senior associate in the Technology, Media & Entertainment Group at Harbottle & Lewis. She specialises in disruptive technology and advises on a broad range of commercial and intellectual property matters including data protection and privacy, with experience of advising in the online and mobile communications industries. The Harbottle & Lewis data team is helping many businesses from a wide range of industries get ready for GDPR; do contact her for more information (firstname.lastname@example.org).
IABM JOURNAL 41