Business First Summer 2017 Business First Magazine Summer 2017 | Page 18
GDPR: What you need to do
before May 2018
Rory Campbell from Forde Campbell LLC outlines the three stages every business in Northern Ireland needs to complete to fulfil their
data protection responsibilities and avoid the wrath of the ICO next May.
o. May 25th 2018. Under a year to go,
then, until the radical new data
protection regulations become law.
Radical, because the General Data
Protection Regulation uproots much of the
existing regime to place new requirements on
Whatever the nature of your business, the
changes mean that you must audit the
personal data you hold, you must ensure that
the dataflow is legally compliant, and you
must put in place processes which both
manage your use of personal data and (this is
the crucial bit) which demonstrate to the
regulator your ongoing compliance with the
Doing nothing is not an option.
As a business lawyer, I’m (meant to be)
interested in new business compliance laws.
As a business owner, I generally resent them.
Extra compliance costs, and the threat of
increased penalties for noncompliance
doesn’t make me any more enthusiastic.
Usually, my first reaction to new compliance
is the same as my 13 year old son’s attitude to
revision: is anyone else bothering to do
In Northern Ireland, from what my team
has seen, the answer is yes – but not much.
Businesses know generally that new data
laws are incoming sometime next year, but
the understanding of the detail of, and the
level of interest in, the GDPR varies
Meanwhile, the GDPR temperature’s rising:
lawyers write “less than one year to go”
articles, the Information Commissioner’s
Office publishes guidance on what bits of the
GDPR mean; GDPR compliance software
systems sales increase, and GDPR compliance
training consultants are running around
flagging the breach penalty increase from
£0.5 million to €20 million and generally
bellowing “Winter is coming!”
There’s still time to prepare. This article
summarises the three steps you need to take
before next May.
STEP 1: WHAT PERSONAL DATA DO YOU
USE, AND WHAT DO YOU DO WITH IT?
This is an audit stage. You need to look at
your organisation, and identify all personal
data which your organisation uses. Personal
Data means any information by which a
human being can be identified. There’s no set
list – personal data can range from names to
IP addresses; the test is whether you are able
to identify the individual to whom the data
relates on the basis of information available
Usually your organisation will hold
personal data about two broad classes of
individuals: your employees, and people
whose personal data will be used by you in
the course of your business.
You need to map out where you hold
personal data: which folders in which system
on which server. Where is the server located?
Who is currently able to access the personal
data? Who ought to be?
You need to work out the dataflow. This
means identifying firstly each way in which
the personal data is collected and brought
into your organisation. Secondly, the way in
which the personal data is stored and used
within your organisation. Finally, the way in
which your organisation passes personal data
to third parties. You need to be particularly
careful to flag up any process which transfers
personal data outside the EU.
The final part of the audit is to check where
you hold personal data as a data controller,
and where you hold it as a data processor. A
data controller can determine the purposes
for which personal data is used: a data
processor handles data as part of a service
provided to a third party. The distinction
between data processor and data controller is
important, since the GDPR imposes
obligations on controllers which are different
to those imposed on data processors.
The personal data audit achieves two
important steps. Firstly, you have a verifiable
description of the dataflow in your
organisation. If you can’t show this, you can’t
ever credibly show that you know how you
process personal data. And if you don’t know
how you process personal data, you can’t
know whether you’re complying with data
law. The audit’s the corner stone of your data
protection compliance, since it documents
what data you use, and how.
Secondly, a key aspect of GDPR is that you
have to be able to produce evidence of GDPR
compliance. If you have a documented data
audit, you’ll meet this requirement.
STEP 2: ARE YOU CURRENTLY
COMPLYING WITH THE GDPR?
The next step is a gap analysis: you need to
check whether the way in which you use
personal data meets the requirements of the
GDPR, and identify where the use isn’t
You’ll have to map your dataflow against
the GDPR the requirements of which are
stricter than current data law. For example,
currently you have to process personal data
“lawfully and fairly”. The most prevalent way
of fulfilling this is by obtaining the data
subject’s consent. The rules on consent
(especially consent from children) just got
much tougher under the GDPR. The GDPR
wants you to state expressly the lawful basis