A business that is not GDPR compliant could face a fine of €20m or 4% of its annual turnover.
The new General Data Protection Regulations (GDPR) come into force in May 2018, and will replace the current Data Protection Act.
The biggest impact will be on companies that have 250 or more employees, and may have to appoint a data controller and/or a data processor.
For companies that employ fewer than 250 staff, the GDPR imposes some direct obligations on data processors that you will need to understand and build into your policies, procedures and contracts.
You may find that your customers will want to ensure that your services are compatible with the enhanced requirements of the Regulations. If this is the case, you will need to review if your contractual documentation is adequate and, for existing contracts, check who bears the cost of making changes to the services as a result of the changing regulations.
If you obtain data processing services from a third party, it is very important to determine and document your respective responsibilities.
Establish a framework for accountability
All companies will need to put in place clear policies and practised procedures to ensure that you can quickly react to any data breach and to notify the regulator in time where required.
Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards.
Check that your staff are trained to understand their obligations. Auditable privacy impact assessments will also need to be conducted to review any risky processing activities, and steps should be taken to address specific concerns.
Implement privacy by design
Ensure that privacy is embedded into any new processing or product that is deployed. This needs to be thought about early in the process to enable a structured assessment and systematic validation. Implementing privacy by design can both demonstrate compliance and create competitive advantage.
The legal basis for use of personal data
Consider what data processing you undertake. For example, do you rely on data subject consent or can you show that you have a legitimate interest in processing data that is not overridden by the interests of the data subject? Companies often assume they need to obtain the consent of data subjects to process their data, but consent is just one of a number of ways of legitimising processing activity and may not be the best.
If you do rely on obtaining consent, review whether your documents and forms of consent are adequate and check that consents are freely given, and are specific and informed. You will bear the burden of proof.
Check privacy notices and policies
The GDPR requires that information provided should be in clear and plain language, so your policies should be transparent and easily accessible.
Consider the rights of data subjects
Data subjects can exercise their rights under the GDPR, including the right to data portability and the right to erasure. If you store personal data, consider the legitimate grounds for its retention.
It will be entirely your burden of proof to demonstrate that your legitimate grounds override the interests of the data subjects. Be aware you may also face individuals who have unrealistic expectations of their rights.
International data transfers
For any international data transfers, including intra-group transfers, it will be important to make sure you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation.
This is not a new concern, but as failure to comply could attract a fine of up to €20m and 4% of annual worldwide turnover, the consequences of non-compliance could be severe. You may need to consider adopting binding corporate rules to facilitate intra-group transfers of data.
How the BPIF can help you
The BPIF is offering a two-day GAP Analysis service to member companies to assist compliance with the new General Data Protection Regulations. The analysis will help you to define the roles and responsibilities that apply to GDPR, and will show you how to integrate GDPR with ISO27001:2013.
It will also provide:
- Guidance for pseudonymisation, minimisation and encryption
- Guidelines for mapping the flow of data
- Sample contract clauses
- Retention of records
- Sample policies and procedures
- GDPR policies and procedures
- Training policies
- Procedures for fair processing of data
- Subject access
- Privacy impact assessment
- Breach notification
In addition to this, there is also a basic checklist, agenda for Board meetings and basic work instructions.
GDPR and ISO 27001 ISMS
If your company already carries certification to the latest ISO 27001 standard, the following link will help you to compare how the GDPR impacts on your ISO 27001 Certification www.britishprint.com/gdprmapping
- ISO 27001 Information Security Management Implementing and maintaining an Information Security Management System (ISMS) certified to the internationally recognised data security standard ISO27001 is the most effective way to reduce your risks and to assure clients and insurers that security of information is your company’s top priority.
- BPIF Cyber Essentials Scheme Every second someone is trying to access your company data. Protect yourself and your clients from cyber attack.
The BPIF is the printing industries champion. By becoming a member you join a diverse and influential community. We help you solve business problems, connect you to new customers and suppliers and make your voice heard in government.
0845 250 7050