News and Insights
16 February 2018
GDPR: 5 step action plan
It is now less than 100 days before the EU’s General Data Protection Regulation (the “GDPR”) comes into force on 25 May 2018. The equivalent Jersey legislation, the Data Protection (Jersey) Law 2018 (the “Jersey DP Law”) was registered by the Royal Court of Jersey on 16 February 2018 and will also come into effect on 25 May 2018.
All Jersey businesses will be impacted by the GDPR especially those which offer goods and/or services or target/monitor EU citizens. In addition, once the Jersey DP Law incorporates the GDPR into local law it will afford equivalent protection to local residents.
GDPR action plan
With the GDPR deadline looming, now is the time to get ready. Here are some of the actions you should be taking that Viberts can help you with to prepare for GDPR:
1. Conduct a data controllers’ or data processors’ self-assessment
The Office of the Information Commissioner has issued downloadable questionnaires to act as a starting point for organisations and assist in the preparation for compliance under the GDPR and the equivalent local legislation. Once you have completed this questionnaire, you may wish to contact Viberts to obtain legal advice on how best to review, enhance or develop the processes and procedures you already have in place, deal with specific legal issues or remedy any shortfalls in your existing processes.
2. Review your existing employment, customer and supplier contracts
You will need to ensure that you have the correct consents in place from your employees and customers for the processing of their data. Suitable arrangements in relation to data will also need to be made with any of your suppliers.
Any consent must be clearly, distinguishably and freely given and must be as easy to withdraw as it was to give. Particular circumstances also apply where the data subject is a minor.
When dealing with suppliers of services, especially digital or digitally delivered ones (e.g. using a third party’s server to store your customers’ data), there will be a data controller-data processor relationship in place. The data controller (you) determines the purposes and means of processing the personal data and the data processor (the supplier of services) is the person who handles the data on your behalf. It will be necessary to ensure that the contract governing such a relationship it is compliant with GDPR. The terms agreed and allocation of risk will need to be revisited in light of the GDPR requirements.
Viberts can assist with checking and amending existing contracts, or drafting new contracts, to ensure they are GDPR compliant.
3. Have a “SAR” process
The GDPR enhances the rights of individuals to access their personal data. Many will be used to the acronym “SAR” and use it to mean a “suspicious activity report”, however, in the new world of data protection regulation the acronym “SAR” also stands for a “subject access request”. A subject access request is made when an individual requests that you provide them with all the data you hold about them. Unless manifestly excessive, unfounded or repetitive, a business may not charge a fee for meeting such a request and must comply within one month. Therefore, it is essential that businesses have proper procedures in place to act on, or where appropriate refuse, such requests.
4.Have a data breach plan
In the event of a data breach, a business will need to inform the Information Commissioner. As data protection becomes increasingly regulated and breaches sanctioned, having an internal process for the management and reporting of data breaches should become best practice. Such policies should be regularly reviewed and updated. Viberts can provide and advise on such policies.
Viberts can draft the privacy notices, which businesses will be required to issue whenever personal data is collected, for example, when you hold information on your employees. Such notices detail the information you will be holding on a data subject. The requirement to issue privacy notices stems from one of the key elements of the GDPR: transparency of processing. The aim of this provision is to ensure individuals are clear about how their data will be processed.