GDPR: Getting Data Protection Right (Part Five - Accountability)
With a few weeks to go until the GDPR comes into force now is the time to act and if you haven’t already taken steps to comply, your organisation needs to as soon as possible.
This is Part Five and the final blog in Mills & Reeve’s series about Getting Data Protection Right where we focus on accountability.
In previous posts we looked at:
- Part One: Lawful processing
- Part Two: Transparency
- Part Three: Data security
- Part Four: Individuals’ rights
The GDPR is designed to ensure organisations are more accountable for their personal data processing activities. This is emphasised by the fact that there is a new obligation to report data security breaches to the ICO within 72 hours of becoming aware of the breach and by the maximum level of fine that can be administered (€20 million, or 4% of global annual turnover if higher).
Hacking issues and leaks that have occurred over the past year or so emphasise the need for having a plan in place to contain and manage a data breach.
The focus on accountability should also have an impact on record keeping relating to decision making under the GDPR. For example, you’ll need to keep a record of your assessment as to whether the legitimate interests condition for processing is met, and any decisions to supply or withhold information in response to a subject access request.
Practical steps to take now
Review the existing procedures you have for dealing with breaches – for example:
- are the right people involved, both to take decisions and to undertake technical activities to try to minimise the scale of breach and consequences on data subjects?
- how are the right people going to be contacted if a breach is discovered at 5.45pm on a Friday or midday on a Sunday?
Keep the right records so you are able to demonstrate compliance. Template forms have now been published by the ICO and can be accessed here.
You should also be able to demonstrate the lawful basis for processing personal data (in line with Part One of our blogs).
At Mills & Reeve we offer a range of products and services relating to GDPR-readiness and data protection – to find out more please contact one of our data protection experts Paul Knight, Sarah Whyman or Edward Hadcock.