Businesses across the EU have just four months to prepare for the implementation of General Data Protection Regulation (GDPR).

The new regulation—which will take immediate effect from 25 May 2018 without any need for domestic law ratification—introduces sweeping new requirements for companies handling personal data.

Sybille Steiner, partner at law firm Irwin Mitchell, said that organisations need to conduct data audit to identify areas where action needs to be taken to ensure compliance.

“Businesses need to understand the data held within the organisation, where that data comes from and where/how it is stored, what happens to it while it is within the organisation and when and how it is deleted.

“Where any areas of non-compliance are identified, or where activities pose a risk, the business will need to formulate a plan to address them.”

GDPR requires organisations which process data—whether internally or externally—to obtain “specific, informed and freely given” consent from individuals whose data is being processed. This means businesses need to check their consent practices and existing consents and refresh them if they don’t meet the GDPR standard.

Consent requires a positive opt-in; pre-ticked boxes or any other method of default consent will not suffice, and consent requests should be kept separate from other terms and conditions.

Steiner said that it is common for businesses to have general “catch-all” consent clauses within employee contracts or data protection policies.

“These will no longer be valid forms of consent and businesses need to review employment contracts and policies to decide whether consent should be relied upon at all and if yes, in which form.”

Data protection review

Data protection policies need to be reviewed, she said, and should clearly set out:

• what personal data is and why data protection is important;
• information about the collection and use of personal data, on what basis and why this is processed;
• what the data rights of employees are and how the employer will ensure these are upheld;
• how data breaches are dealt with; and
• the consequences, for the business and individual, of non-compliance.

“The written policy should also set out when and how specific categories of personal data are deleted,” she added. “It should include the new ‘right to be forgotten’, requiring data processors to delete personal data where the data is no longer necessary for the purpose in relation to which it was collected, consent has been withdrawn or if the data was processed in breach of the GDPR.”

All staff should be trained in handling data, she said, and businesses should have an internal reporting procedure in place to ensure they abide by the GDPR duty on all organisations to report any data breach within 72 hours.