As the clock counts down inexorably towards the GDPR implementation date of 25th May (less than 4 months to go), it is clear to us that many businesses are only now beginning to focus on what they need to do to ensure compliance by that date.  That’s understandable; it is an often time-consuming exercise which may well involve significant internal changes, the writing and adoption of new policies and no obvious financial return.  So why the fuss?

In this article, we thought it would be helpful to summarise a number of the key concepts around GDPR which may help to explain why GDPR should not be ignored.

1.         What is GDPR?  The EU General Data Protection Regulation (Regulation (EU) 2016/679) was adopted in May 2016 and becomes directly applicable in all EU member states without the need for local implementing legislation on 25th May 2018.  That means every business which processes or controls personal data must comply by that date.

2.         Will GDPR apply to my business?  Almost certainly!  It is difficult to think of many businesses which will not be touched by GDPR in some way.  Even if you are a B2B business without any personal data of your customers, you are likely to hold and process employee personal data.

3.         Is my business a Controller or a Processor?  Do you determine how personal data is to be processed (you’re a Controller) or do you process such data on behalf of a Controller, in which case you are a Processor?  Controllers have the most obligations under GDPR, but Processors must also comply.

4.         Aligning your processes with GDPR.  To do this, you need to map or audit your current data processing activities – bear in mind that most Controllers will also be Processors of personal data – identify where gaps exists and then close those gaps to make your activities GDPR compliant.  For large businesses, this can be a complex and time-consuming exercise so we suggest if you haven’t already started, this ought to be a high priority now.

5.         Legal basis for processing.  This is an area requiring some thought and analysis.  If yours is a B2C business where your customer data is central to the business, it is more likely that your basis for processing will focus on consent.  Whereas if the personal data you process is more ancillary to the business, then the legitimate interest or contractual bases may be more relevant.  There are 6 lawful bases for processing under GDPR which are:

Ø  Consent: The individual has given clear consent for you to process their personal data for a specific purpose.  Bear in mind this is a high standard and will require a positive opt-in from individuals.  Pre-ticked boxes or any other type of default consent will not be sufficient.

Ø  Contract: Your processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.  Bear in mind that choosing this as a basis for processing employee data may be risky due to the difference in bargaining power between employer and employee.

Ø  Legal obligation: Your processing is necessary for you to comply with the law.

Ø  Vital interests: Your processing is necessary to protect someone’s life.

Ø  Public task: Your processing is necessary for you to perform a task in the public interest or for your official functions.

Ø  Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.  This is the most flexible basis for processing but can only apply where you use people’s data in ways they would reasonably expect and which has a minimal privacy impact, or where there is a compelling justification for the processing.  Any processing on this basis has to be balanced against the individual’s interests, rights and freedoms.

6.         Special Personal Data Categories.  To process this type of data, a special exception must apply.  The special personal categories are any data that reveals:

Ø  racial or ethnic origin;

Ø  political opinions;

Ø  religious and philosophical beliefs;

Ø  trade union membership;

Ø  genetic data;

Ø  biometric data for uniquely identifying a natural person; and

Ø  sex life and sexual orientation.

If it is possible that you will need to process Special Personal Data then you must study the exceptions which permit this carefully, and we strongly recommend you take expert advice to ensure you are compliant.

7.         Privacy Notices.  These will require review and updating to reflect the outcome of your process alignment and bases of processing.  Failure to address the many required disclosures in these notices and the manner in which you deliver the notices to data subjects will leave businesses exposed.

8.         Contract Reviews.  Where any third party is processing personal data for you, you must include certain minimum requirements.  This will require you to identify all relevant contracts, prioritise those which are high risk and negotiate appropriate amendments in time for the GDPR implementation date.

9.         Data Protection Impact Assessments.  These are required for any processing that is likely to result in a high risk to a natural person's rights and freedoms, particularly for new technologies and need to be regularly reviewed.  They are not just a one-off exercise.

10.       Data Breach Notification.  You need to have thought this through carefully and have plans in place by the GDPR implementation date.  For example, a Processor must notify its data Controller of a data breach without undue delay, and a Controller must notify the relevant supervisory authority (in the UK, that is the Information Commissioner’s Office) of a data breach within 72 hours.

This note has only scratched the surface of GDPR and its ramifications.  You might well ask whether it is really necessary to go to all this effort.  The answer can only be yes!  Today, the maximum fine which can be levied on Controllers is £500,000.  Following the GDPR implementation date, sanctions for non-compliance are potentially massive with the risk of fines up to €20 million or 4% of annual net revenue (whichever is the higher) for serious breaches.