Top 6 questions in-house lawyers should be asking in preparation for data protection reforms
The General Data Protection Regulation represents the biggest reform of data protection law for decades. It's therefore vital that organisations are fully prepared for the new rules. But where exactly do you begin?
I've set out some key questions that in-house lawyers should be asking now in order to get ready for the new Regulation.
As a reminder, the new Regulation is expected to be formally signed off in the coming weeks, with a two-year implementation period before the new rules take effect from early 2018. Breaching these rules could leave organisations facing penalties of up to €20 million or 4% of worldwide turnover, as well as compensation claims from individuals.
1. Will the new Regulation apply to my organisation?
If you process 'personal data' about individuals, whether they are employees, customers or clients, then the answer to this question will almost certainly be "yes". The Regulation has a wide territorial scope, applying to organisations based in the EU, and those outside the EU which offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU. And unlike existing data protection law, parts of the Regulation will apply directly to data processors as well as controllers.
2. What personal data are we currently processing (and why)?
With the new Regulation now firmly on the horizon, this is an ideal opportunity to take stock of the personal data you are currently handling. Think about what information you're collecting, how you're using it and what the potential risks may be. Could you be doing things differently to reduce these risks? Could anonymisation be used to take the processing outside the Regulation altogether? Note that the definition of 'personal data' will be expanded by the Regulation, applying to information relating to individuals who are indirectly identifiable by reference to online identifiers or location data.
3. Are we providing individuals with enough information?
The Regulation contains new rules on providing information to individuals about how their data is used. These are more prescriptive than existing requirements. For instance, you'll be required to inform individuals at the time their information is collected of the legal basis of the processing and the period for which it will be retained. There are also additional obligations whenever an organisation is seeking the consent of an individual. These changes are likely to require most organisations to review and re-write various documents, including privacy notices, consent wording, data protection policies and employee handbooks.
4. Can we show that we're complying with the rules?
An overarching theme of the new Regulation is the principle of accountability. There are new requirements on controllers and processors to demonstrate their compliance by fully documenting their data processing activities. Public bodies and organisations that process large volumes of data will be required to appoint a Data Protection Officer, new processing activities may require organisations to carry out data protection impact assessments, and organisations will be expected to implement privacy by design and by default. There will also be new requirements to report breaches to the regulator, and serious breaches to individuals affected. These changes are likely to present challenges for most organisations, so you should consider whether your existing internal compliance systems can meet these challenges. On the plus side, at least you won't need to worry about renewing your ICO notification, as this will be scrapped under the new Regulation.
5. Will we be able to deal with the new rights for individuals?
The Regulation includes a suite of additional rights for individuals. As well as familiar rights to subject access and to object to processing, which are retained from the current law, individuals will also have the right to receive their data in a commonly used and machine-readable format and the right to have their data erased. You should consider whether your current processes are fit for purpose to allow individuals to exercise these new rights.
6. Will we be exporting any data outside Europe?
There has been much discussion about the transfer of personal data outside of Europe in the context of the recent Safe Harbor decision, and the challenges associated with exporting data are well documented. The Regulation does not provide any easy solutions for data exporters. It repeats much of the existing law and in some circumstances narrows the scope for organisations to legitimise transfers of personal information outside of Europe. Ensuring that your data transfers meet the new requirements will continue to be a challenge for data exporters.
AND FINALLY, don't be afraid to ask for help. Blake Morgan will be working with our clients over the coming months to ensure that they are fully prepared for the new Regulation. Please let us know if you have any specific queries or would like to discuss how the new Regulation may affect your business..