General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams
Hillyer McKeown LLP Commercial Law Firm Chester, North Wales, Wirral, Liverpool Over 100 staff Diverse UK-wide client base Legal 500 The team have been praised for the “first-class clarity and quality” of their advice.
What are the GDPR? Replace current EU legislation on the processing and handling of data (including the Data Protection Act 1998) Effective from 25th May 2018 Aim to harmonise and strengthen the data rights of EU citizens Will apply to all EU member states, including the U.K. The changes introduced substantially increase the responsibility of the data controllers and processors regarding the handling of individuals’ personal data.
What is data? Personal Data Sensitive Personal Data Data Subject Data which relates to a living individual who can be identified from that data Sensitive Personal Data Data relating to a living individual’s racial / ethnic origin; religious beliefs; criminal offences; physical / mental health. Data Subject An individual who is the subject of personal data Data Controller A person who determines how personal data is to be processed Data Processor Any person who processes the data on behalf of the Data Controller
Why are the GDPR important? Five key changes: Stricter rules on consent Enhanced rights for data subjects Accountability measures increased Data breach notifications Fines
Case Examples GDPR is high profile following a number of recent data breaches:- NHS Equifax
Legitimate grounds for processing Contractual necessity Legitimate interests Compliance with a legal obligation Protection of vital interests Public Interest / Official Authority Consent
How do you ensure compliance? Raise awareness of GDPR Discuss the potential impact of GDPR at board level and throughout the business. Roles and responsibilities Find out who is accountable for the day to day control of collecting, storing and processing any personal data. Appoint a data protection officer (DPO) and supporting team Appoint a DPO and representatives from responsible departments to coordinate the organisational changes needed to comply with the new law.
How do you ensure compliance? Data Protection Impact Assessment (DPIA) for personal data Perform a risk assessment for each department, including the lawful basis for handling someone’s data. Review consent Define how you seek, record and manage consent for collecting, storing and processing types of personal data. Audit trail Review the processes and mechanisms in place to ensure security, accountability and transparency.
How do you ensure compliance? Review legal documentation Update individuals’ rights and privacy information such as privacy notices to make compliant with the new law. Subject access requests Define how your business plans to handle quests from people to access their data according to the new GDPR. Update policies and procedures with third parties Is the data you hold shared outside your organisation? If so, who? How? Where?
How do you ensure compliance? Testing and review ready for 25th May 2018 Complete final staff training on updates to new policies, processes and procedures for aspect of personal data management. Review and test personal data handling across the business, within departments and for key individuals who have responsibility for data. Plan for ongoing GDPR compliance via comprehensive auditing and reporting. Ensure accurate, compliant and transparent data management.
Don’t panic! 5 steps to ensure compliance Start the discussion and gather information Decide who will be responsible (consider DPOs) Training and Policies Evidence and Accountability Preparing for potential breaches
Five key questions businesses should be asking themselves now Where do we currently store personal data, and is it secure? Who has control of personal data at present? What authority do we have to use and process personal data? What are the current IT systems and processes relating to the data we hold? Is there a process of erasure? Is the data we hold shared with any external contacts or third parties, and it is shared anywhere outside the European Economic Area (EEA)?
Contact Details David Jones Tel: (0151) 666 0747 Email: dbj@law.uk.com Angharad Williams Tel: (01244) 357 284 Email: aww@law.uk.com
Thank you, do you have any questions?