Allison Wooddisse, Head of In-House and Compliance, LexisNexis, considers what is on the horizon in relation to data protection and the GDPR for 2018 and what should be top of your to-do list right now on your journey to GDPR readiness.
Data protection. What happened in 2017? It’s probably easier to say what hasn’t happened.
At the time of writing, we still haven’t had final guidance from the Information Commissioner’s Office (ICO) on consent under the General Data Protection Regulation, Regulation (EU) 2016/679. Nor have we had detailed guidance on the scope of legitimate interests, direct marketing under the GDPR, and lawful processing. There’s also great uncertainty about whether the ePrivacy Regulation (currently in draft form) will be finalised and in force to coincide with implementation of the GDPR.
What are the practical implications?
It’s extremely difficult for organisations to draft their privacy notices and policies in readiness for the GDPR. This is because privacy notices and policies must state the lawful ground on which data is processed.
Many organisations will wish to move away from consent as the default ground for processing personal data, because the GDPR raises the bar for the standard of consent. ‘Legitimate interest’ is an attractive alternative ground for processing, but the only available detailed guidance predates the GDPR.
Key steps to action now.
The good news is, there are practical steps you can take today to be ahead of the game.
Before preparing a privacy notice or policy it is critical that you comprehensively identify what data you process, why and how.
Armed with this information, you can then form a preliminary view on the most appropriate ground for each processing activity, including legitimate interests and consent. Then, and only then, can you draft your privacy notices and policies. Helpful tools to consider include a sample data processing map and data and information register.
What’s on the horizon?
As we are all aware, the GDPR will become directly applicable and enforceable in the UK from 25 May 2018. The Data Protection Bill is currently before Parliament and is expected to receive Royal Assent shortly in the New Year. We also have our fingers crossed for detailed guidance from the ICO or EU on lawful grounds for processing, legitimate interests, consent and direct marketing. But time is pressing on and organisations cannot wait for the regulators to tell them what to do.
The GDPR represents the biggest overhaul in data protection law for two decades. As the deadline approaches, organisations must continue to review their internal procedures and arrangements with data subjects, suppliers and other third parties to ensure they comply with the obligations under the new regime.
Get ahead of the game
Top of your to-do list right now.
1.Data mapping—find out whose data are you processing, why and how
2. Making a start on legitimate interests assessments—this can’t wait for detailed ICO guidance and there is enough information in the GDPR itself and pre-GDPR guidance to get ahead of the game.
Here, useful tools include a legitimate interest assessment to determine whether you have a legitimate interest in processing data under the General Data Protection Regulation (GDPR) and, if so, whether that legitimate interest is overridden by the rights and interests of the data subjects whose data you propose to process.
3. Overhauling your preference centre, or deciding whether to set up a preference centre if you don’t already have one.
Consider a preference centre supplier questionnaire to help you establish quicker and more effectively whether an externally supplied or maintained preference centre complies with the requirements of the General Data Protection Regulation, particularly around consent for marketing communications.
Your step by step project plan to GDPR readiness
We’re here to help you on your journey to GDPR readiness.
Our GDPR planner aims to help you prepare your business data compliance processes. It expands on the suggested set of actions for each of the 12 areas issued by the Information Commissioner’s Office (ICO).
This is one of many practical tools to help you manage your compliance obligations faster and more effectively within our LexisPSL Risk & Compliance module – created specifically to support in-house lawyers identify and manage risk in their organisations.
With email news alerts, monthly highlights and forecasts; practice notes explaining the “what and the why” in key areas of risk such as crisis management, anti-money laundering, anti-bribery & corruption; and an unmatched suite of precedents to help you put effective systems and process in place – fast. Request a free, no-obligation trial.