Allison Wooddisse, head of in-house and compliance at LexisNexis, considers what is on the horizon in relation to data protection for 2018, and what should be top of your to-do list right now on your journey to GDPR readiness.
Data protection. What happened in 2017? It’s probably easier to say what hasn’t happened.
As we are all aware, the GDPR will become directly applicable and enforceable in the UK from 25 May 2018. The Data Protection Bill is currently before Parliament and is expected to receive Royal Assent in the near future.
At the time of writing, we still haven’t had final guidance from the Information Commissioner’s Office (ICO) on consent under the General Data Protection Regulation (GDPR), nor have we had detailed guidance on lawful grounds for processing, legitimate interests, consent and direct marketing. There’s also great uncertainty about whether the ePrivacy Regulation (currently in draft form) will be finalised and in force to coincide with implementation of the GDPR in May.
This all means that it is extremely difficult for organisations to draft their privacy notices and policies in readiness for the GDPR. This is because privacy notices and policies must state the lawful ground on which data is processed.
Many organisations will wish to move away from consent as the default ground for processing personal data, because the GDPR raises the bar for the standard of consent. ‘Legitimate interest’ is an attractive alternative ground for processing, but the only available, detailed guidance predates the GDPR.
Key steps to action now
The good news is, there are practical steps you can take today to be ahead of the game.
First things first. Before preparing a privacy notice or policy, it is critical that you comprehensively identify what data you process, why and how.
Armed with this information, you can then form a preliminary view on the most appropriate ground for each processing activity, including legitimate interests and consent. Then, and only then, can you draft your privacy notices and policies. Helpful tools to consider include a sample data processing map and data and information register .
The GDPR represents the biggest overhaul in data protection law for two decades. As the deadline approaches, organisations must continue to review their internal procedures and arrangements with data subjects, suppliers and other third parties to ensure they comply with the obligations under the new regime.
Your to-do list
At the top of your to-do list right now are the following actions.
- Data mapping – find out whose data are you processing, why and how
- Making a start on legitimate interests assessments – this can’t wait for detailed ICO guidance, but there is enough information in the GDPR itself and pre-GDPR guidance to get ahead of the game.
Here, useful tools include a legitimate interest assessment to determine whether you have a legitimate interest in processing data under the GDPR and, if so, whether that legitimate interest is overridden by the rights and interests of the data subjects whose data you propose to process.
- Overhauling your preference centre, or deciding whether to set up a preference centre if you don’t already have one.
Consider a preference centre supplier questionnaire to help you establish quicker and more effectively whether an externally supplied or maintained preference centre complies with the requirements of the GDPR, particularly around consent for marketing communications.
LexisNexis is here to help you on your journey to GDPR readiness. Our free, downloadable GDPR planner aims to help you prepare your business data compliance processes, expanding on the suggested set of actions for each of the 12 areas issued by the ICO.