Business First Summer 2017 Business First Magazine Summer 2017 | Page 18

GDPR GDPR: What you need to do before May 2018 Rory Campbell from Forde Campbell LLC outlines the three stages every business in Northern Ireland needs to complete to fulfil their data protection responsibilities and avoid the wrath of the ICO next May. o. May 25th 2018. Under a year to go, then, until the radical new data protection regulations become law. Radical, because the General Data Protection Regulation uproots much of the existing regime to place new requirements on businesses. Whatever the nature of your business, the changes mean that you must audit the personal data you hold, you must ensure that the dataflow is legally compliant, and you must put in place processes which both manage your use of personal data and (this is the crucial bit) which demonstrate to the regulator your ongoing compliance with the GDPR. S Doing nothing is not an option. As a business lawyer, I’m (meant to be) interested in new business compliance laws. As a business owner, I generally resent them. Extra compliance costs, and the threat of increased penalties for non­compliance doesn’t make me any more enthusiastic. Usually, my first reaction to new compliance is the same as my 13 year old son’s attitude to revision: is anyone else bothering to do anything? In Northern Ireland, from what my team has seen, the answer is yes – but not much. Businesses know generally that new data laws are incoming sometime next year, but the understanding of the detail of, and the level of interest in, the GDPR varies significantly. Meanwhile, the GDPR temperature’s rising: lawyers write “less than one year to go” articles, the Information Commissioner’s Office publishes guidance on what bits of the GDPR mean; GDPR compliance software systems sales increase, and GDPR compliance training consultants are running around flagging the breach penalty increase from £0.5 million to €20 million and generally bellowing “Winter is coming!” There’s still time to prepare. This article summarises the three steps you need to take before next May. STEP 1: WHAT PERSONAL DATA DO YOU USE, AND WHAT DO YOU DO WITH IT? This is an audit stage. You need to look at your organisation, and identify all personal data which your organisation uses. Personal Data means any information by which a human being can be identified. There’s no set list – personal data can range from names to IP addresses; the test is whether you are able 16 to identify the individual to whom the data relates on the basis of information available to you. Usually your organisation will hold personal data about two broad classes of individuals: your employees, and people whose personal data will be used by you in the course of your business. You need to map out where you hold personal data: which folders in which system on which server. Where is the server located? Who is currently able to access the personal data? Who ought to be? You need to work out the dataflow. This means identifying firstly each way in which the personal data is collected and brought into your organisation. Secondly, the way in which the personal data is stored and used within your organisation. Finally, the way in which your organisation passes personal data to third parties. You need to be particularly careful to flag up any process which transfers personal data outside the EU. The final part of the audit is to check where you hold personal data as a data controller, and where you hold it as a data processor. A data controller can determine the purposes for which personal data is used: a data processor handles data as part of a service provided to a third party. The distinction between data processor and data controller is important, since the GDPR imposes obligations on controllers which are different to those imposed on data processors. The personal data audit achieves two important steps. Firstly, you have a verifiable description of the dataflow in your organisation. If you can’t show this, you can’t ever credibly show that you know how you process personal data. And if you don’t know how you process personal data, you can’t know whether you’re complying with data law. The audit’s the corner stone of your data protection compliance, since it documents what data you use, and how. Secondly, a key aspect of GDPR is that you have to be able to produce evidence of GDPR compliance. If you have a documented data audit, you’ll meet this requirement. STEP 2: ARE YOU CURRENTLY COMPLYING WITH THE GDPR? The next step is a gap analysis: you need to check whether the way in which you use personal data meets the requirements of the GDPR, and identify where the use isn’t compliant. You’ll have to map your dataflow against the GDPR ­ the requirements of which are stricter than current data law. For example, currently you have to process personal data “lawfully and fairly”. The most prevalent way of fulfilling this is by obtaining the data subject’s consent. The rules on consent (especially consent from children) just got much tougher under the GDPR. The GDPR wants you to state expressly the lawful basis