Draft regulations are unlikely to substantially change
The key elements of GDPR have been published in draft for some time and whilst there may be some limited refinement in the final stage of approval, it is not likely that there will be any significant variation from what we know now. The major implications are:
- Increased territorial scope of the regulations, extending beyond EU boundaries
- Substantial increase in fines and the cost of non-compliance
- More precise and granular consent requirements applied
- Creating an internal culture designed to protect the rights of data subjects from ensuring the right to be forgotten, to the requirement to have a Data Protection Officer and report breaches
Time to get started – stage one, understand where you stand
If you have not yet embarked upon your GDPR compliance review it is now time to get the process underway.
As with most significant compliance projects, stage one is to fully benchmark your present policies and processes relative to the new legislation. Only then will you be able to assess where the gaps lie and the actions required by your business before May 2018.
To assist in an objective benchmarking exercise Wellers has created a GDPR data audit that will document your use of data within the business, where the risks are likely to be and provide an invaluable basis for meeting the deadline for compliance.
Consent – a big issue for marketing and systems changes
For many businesses the new rules on ‘consent’ in particular are likely to be of great concern. Whilst many of the requirements under GDPR have been best practice for some time, the new consent regime could limit a business’s ability to market to clients and prospects and therefore may have an immediate impact on revenue as well as absorbing IT resources. Sales and Marketing departments will require time to plan how client data can be used in future and require clarity as soon as possible.
We believe that the definition of the changes provided by the Information Commissioner’s Office, and summarised below, are clear enough for planning purposes.
What are the key changes to consent in practice?
You will need to review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. The key new points are as follows:
- Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
- Granular: give granular options to consent separately to different types of processing wherever appropriate.
- Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
Please contact the Wellers GDPR team to find out how to commission a data compliance audit. Call 020 7481 2422 or email sian.stephens@wellerslawgroup.com for an initial discussion.