General Data Protection Regulation
10 STEPS TO GDPR GUERNSEY & JERSEY
GDPR: a
snippit
As many of you will be aware, the EU has adopted a new framework in respect of data protection which will c ome into force on 25 May 2018, the General Data Protection Regulation (GDPR). Although Guernsey and Jersey are not members of the EU, the GDPR has far wider reach than just the EU and will also apply to many organisations targeting EU citizens. In addition, Guernsey and Jersey will want to remain "adequate" jurisdictions for data protection purposes and in order to do this, will bring in their own GDPR-compliant legislation. The Islands' Commissioner for data protection has therefore proposed 10 steps for organisations to take in preparation for the enforcement of the GDPR and the equivalent local legislation.
THE DATA PROTECTION PRINCIPLES
The cornerstone of the GDPR and the new legislation being introduced in Guernsey and Jersey (the "new regime") is the data protection principles.
mourantozannes.com/gdpr
Personal Data must be
Processed lawfully, fairly and i n a transparent manner
Collected for specified, e xplicit and legitimate purposes
Adequate, relevant and limited to w hat is necessary for the purposes for which they are processed
Accurate and kept up to date
Kept in a form which permits identification of data subjects for no longer than is necessary
Processed in a manner that ensures appropriate security
The new regime also imposes a new obligation of accountability under which it will be your responsibility as a data controller to be able to demonstrate compliance with each of the above. Do make sure you have adequate policies and procedures in place to be able to do so. Primary processors have similar obligations where they engage a secondary processor.
The 10 steps 01 02 03 04 05 06 07 08 09 10
Awareness What, Where, Why, How? Privacy Notices Individuals' Rights Subject Access Requests Consent, Including Children Data Breaches Privacy By Design, DPIAs Data Protection Officers Wider Scope
mourantozannes.com/gdpr
STEP ONE
AWARENESS
You should consider undertaking a data protection audit and ensure that senior management are aware of the key changes the GDPR will bring; obtain board support; instruct key employees with keeping up with developments; and ensure you have adequate training on the GDPR in place.
mourantozannes.com/gdpr
STEP TWO
WHAT, WHERE, WHY, HOW?
You should document what data you hold; where the data came from; whom you share data with; the purposes for which the data are being processed; and how the processing is lawful (you will need a legal basis in respect of each processing purpose). In summary, the legal bases for lawful processing of personal data are as follows, but remember that different legal bases will apply in respect of special categories of personal data (which has a slightly wider definition than sensitive personal data had under the old laws):
Consent
Performance of a contract
Compliance with a legal obligation
Vital interests
Public interest
Legitimate interests mourantozannes.com/gdpr
STEP THREE
PRIVACY NOTICES
Ensure you have privacy notices in place, which are clear and concise and set out all the information required under the GDPR, including your contact details, the purpose of the processing, the period for which data will be stored, the rights of data subjects etc.
mourantozannes.com/gdpr
STEP FOUR
INDIVIDUALS' RIGHTS
Ensure that you have adequate procedures in place to enable you to comply with individuals' data rights:
The right of access
The right to rectification
The right to erasure (to be forgotten)
Right to restriction of processing
Right to data portability
Right to object to processing
Right not to be subject to a decision based solely on automated processing
mourantozannes.com/gdpr
STEP FIVE
SUBJECT ACCESS REQUESTS
The rules on subject access requests will change: You will have one month to comply subject to a two-month extension You will not be able to charge a fee unless the request is manifestly unfounded, excessive or repetitive or if the data subject has requested further copies The information will usually need to be provided in a commonly used electronic form
So, do ensure you have policies and procedures in place to deal with such requests and to justify refusals to comply where appropriate.
mourantozannes.com/gdpr
STEP SIX
CONSENT (INCLUDING CHILDREN)
Review how you seek and record consent
Consider whether it may be more appropriate to rely on other legal bases
Consent must be a clear, affirmative act or statement
Consent must be as easily withdrawn as it is given
You should ensure that you can demonstrate that consent was given
Remember that stricter rules apply in respect of children
mourantozannes.com/gdpr
STEP SEVEN
DATA BREACHES
You should ensure a level of security appropriate to the risks of accidental / unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data
If a breach is detected, depending on likelihood of risks to the rights and freedom of the data subjects, you may need to notify the supervisory authority without undue delay and in any case within 72 hours of having become aware of the breach
You may also be required to notify the data subject(s) without undue delay
Where possible, you should mitigate the possible adverse effects of any personal data breach
As well as external notifications, develop internal reporting mechanisms and offer appropriate training to ensure your employees know what to do if they become aware of a breach mourantozannes.com/gdpr
STEP EIGHT
PRIVACY BY DESIGN, & DPIAs
ďƒź
You should implement technical and organisational measures to reduce the risk of breach, train staff about data protection, undertake regular audits and maintain appropriate documentation
ďƒź
Where your processing is likely to result in high risk to the rights and freedoms of natural persons, you will need to conduct Data Protection Impact Assessments (DPIAs)
To ensure appropriate governance arrangements are in place and can be demonstrated, it will be prudent to undertake DPIAs as a standard part of data management.
mourantozannes.com/gdpr
STEP NINE
DATA PROTECTION OFFICERS
Some organisations will require a data protection officer (eg those whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale)
Consider whether your organisation needs a DPO but in any case, it will be useful to have someone in charge of your data protection obligations
A DPO must be someone with expert knowledge of data protection law and practices who can take responsibility for data protection compliance
mourantozannes.com/gdpr
STEP TEN
WIDER SCOPE
The new regime applies beyond the EU and Channel Islands
The rules in respect of transfers of personal data to countries outside the EEA and international organisations have changed
The list of countries which have previously been considered as "adequate" jurisdictions for the purposes of data protection (which include Guernsey and Jersey) will remain so unless and until the European Commission decides otherwise
Processors also come under the remit of and may face liability under the new regime
mourantozannes.com/gdpr
NOTES
NOTES
WANT TO KNOW MORE?
For further information on any of the steps to the new regime: GDPRNews@mourantozannes.com mourantozannes.com/gdpr