The GDPR introduced (among other things):
- enhanced documentation to be kept by data controllers
- enhanced Privacy Notices
- more prescriptive rules on what constitutes consent (one of the most used grounds claimed for lawful processing)
- mandatory data breach notification requirement
- enhanced rights for Data Subject (the individuals whose data is being processed)
- new obligations on Data Processors (third parties carrying out processing activities on behalf of the main party) and
- an obligation to appoint dedicated Data Protection Officers for organisations over a particular size or if carrying out systematic processing of certain types of personal data.
Since our Webinar, ICO have published their update on their own reflections and learnings from the past twelve months, and have refreshed their Regulatory Action Policy. In their report, ICO flagged the ongoing challenges to small and medium-size businesses and organisations, including that organisations need to be able to demonstrate their compliance with the GDPR by showing their accountability and by being able to demonstrate understanding of the risks to individuals in the way they process data and showing (and acting on) how those risks should be limited. The refreshed ICO Policy continues to follow their risk-based approach to taking regulatory action against organisations and individuals that have breached the provisions of the data protection, freedom of information and other legislation, focusing on areas of highest risk and most harm. ICO has wide-ranging powers under various pieces of legislation, which includes (among other things) the power to
- carry out audits or “compliance assessments” of organisations;
- issue enforcement notices orders requiring specific actions to resolve breaches;
- fine organisations for breaches of GDPR;
- issue fixed penalties to organisations for failing to meet specific obligations (e.g. a failure to pay the relevant fee to the ICO); and
- prosecuting criminal offences before the courts.
- the attitude and conduct of the individual or organisation concerned suggests an intentional, wilful or negligent approach to compliance or unlawful business or operating model;
- advice, warnings, consultation feedback, conditions or guidance from the ICO has not been followed; and
- any financial (including budgetary) benefits gained or financial losses avoided by the relevant individual or organisation, directly or indirectly.
- the organisation had in place any protective or preventative measures and technology available; or
- if there was early notification by the relevant individual or organisation to the ICO of the breach or issue.
- Privacy Notices (to show individuals what data is held and what is done with it)
- Data Processing Log (an internal management document under Article 30 GDPR showing the processing undertaken and decisions relating to that processing)
- Subject Access request policy (an internal policy for staff detailing how requests from individuals will be dealt with by the organisation and how to respond to a request in a GDPR compliant way)
- Data Retention policies (an internal policy for staff detailing how documents should be kept safely and securely including minimum and maximum (where applicable) durations for keeping documents to demonstrate compliance with various laws including tax and contract law as well as the destruction of documents in a GDPR compliant way)
- Data Processing Agreements (with third parties) – a requirement of the GDPR
- Data Breach Process (an internal policy for staff detailing how breaches of GDPR will be dealt with by the organisation in a GDPR compliant way)
While if you remain somewhat uncertain about your position regarding the full compliance of your data protection procedures you can check your position via our handy GDPR Checklist. For further GDPR legal advice, please enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team. The author of this article is expert LawBrief Rachel Robinson.
Rachel has over 20 years’ experience of providing company commercial law advice, including drafting contracts, data protection and competition law to organisations of all sizes, ranging from FTSE100 companies to owner-managed small business.