GDPR: Updating and Drafting New GDPR-Compliant Data Protection Policies
The General Data Protection Regulation 2016/679 (GDPR) replaces the existing data protection regimes in place throughout the European Union (EU), including the UK. It introduces a number of new obligations and requirements on controllers 1 and processors 2. Compliance with the new regulations will be of even greater importance following the enforcement date of 25 May 2018, because the GDPR substantially increases the fines that can be imposed by the relevant regulatory bodies in the event of a breach – now up to a maximum of € 20 million or 4% of annual global turnover, whichever is the higher.
Our first article in this series covered step 1 in your journey towards GDPR compliance. This involved carrying out a thorough and exhaustive data and information audit to identify the personal data of EU subjects processed by your company, whether as a data controller or processor, and why. Your second step is to review, in light of the results of the audit and the requirements of the GDPR, your existing data protection policies and practices to ensure their compliance.
Possibly the biggest change with the introduction of the GDPR is the introduction of the Accountability Principle. This states that the data controller is responsible for, and must be able to demonstrate compliance with, all of the requirements of the GDPR. It is crucial, therefore, that you document your data protection policy and practices review process so that you can demonstrate how your updated or new policies comply with the GDPR.
This exercise will be different for every company and exactly which policies and procedures you will need to produce and implement will depend on the results of your audit and the nature of your business. As a helpful reference a list of the most commonly required policies and a short summary of their content is set out below.
You can find more information about data protection policies and practices from our GDPR webpage and the following helpful Information Commissioner’s Office (ICO) webpages:
If you have any questions, or need any assistance with your data audit, please do get in touch.
In our next update we will discuss carrying out staff training to ensure that appropriate staff have the necessary knowledge of the data protection obligations, as well as raising the general education level of all employees.
1 A ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2 A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.