Last October, McGuireWoods covered some of the keys steps that reward professionals could take to get up to speed with the General Data Protection Regulation (GDPR) coming into force this May. With fines of up to €20 million or 4% of annual worldwide turnover, whichever is greatest, at stake, GDPR compliance requires board-level attention and stakeholder buy-in. There are now only five months before the new law comes into force, so these are the next steps organisations should now be taking in their GDPR compliance project.
The first is subject access requests (SARs). Individuals will continue to have the right to ask any organisation processing their personal data for access to, and certain details regarding, that information. Under GDPR, the procedure for making SARs is similar, however, the current £10 fee an organisation can request before responding to SARs has been abolished, unless the request is ‘manifestly unfounded or excessive’, and the timeframe for responding has reduced from 40 days to one month. Organisations should now be designing and implementing policies and procedures for handling SARs and ensure these take into account the new timescales. They should also be training staff to recognise and deal with SARs and implement template response letters to ensure that all GDPR requirements are satisfied.
The second step is the appointment of a data protection officer. The GDPR requires some organisations to appoint a data protection officer in certain circumstances. It also sets out the tasks a data protection officer should carry out and employers’ duties with respect to those individuals. Regardless of whether GDPR requires the appointment of a data protection officer, any organisation can appoint one to assist with GDPR compliance. Organisations should now be considering whether they are required to appoint a data protection officer and if so, or if they choose to do so, identifying and appointing the appropriate person. This can be someone within the organisation or an external consultant who must have suitable skills and experience.
Thirdly, staff training. Making staff aware of GDPR and its legal requirements is a key element in any organisation’s GDPR compliance framework. A lack of an effective staff awareness programme means that organisations run the risk of breaching GDPR, which can have serious financial consequences and cause reputational damage. Organisations should be designing and implementing an engaging training programme to give staff a clear understanding of the key changes introduced by GDPR and the requirements that will affect their daily work.
Sarah Thompson is an employment lawyer with international law firm McGuireWoods