GDPR Compliance Programmes – 12 months down the track, time to consider a review

The GDPR became effective in all EU member states and in the European Economic Area (EEA) jurisdictions on 25 May 2018, introducing a new harmonised data protection compliance regime.

A company’s failure to comply with relevant data protection legislation and implement an effective privacy compliance programme can trigger criminal offences as well as exposing the company and its officers to civil liability. Individuals who suffer damage or distress as a result of breaches of local legislation may be entitled to seek redress through the civil courts. Under the EU’s GDPR the organisation can be exposed to fines of up to EUR 20 million or 4% of the total worldwide annual turnover. Many organisations now recognise the significant impact that an adverse ruling can have on its operations. Aside from the business interruption, inconvenience and cost that will result from remedying breaches, a company that is seen to disregard the privacy of its employees, customers and suppliers may suffer considerable reputational damage.  12 months down the track, this is an opportune time for companies to conduct a review of their data protection compliance programmes.

By way of remainder, the key steps in establishing an effective data protection compliance programme for a corporate group are as follows:

• Appointing a data protection officer (DPO) (if required or appropriate) or other person with responsibility for managing the compliance programme.
• Identifying all countries in which processing activities take place or may be likely to take place in the future. The company should examine local data protection laws (outside the EU or EEA) to ensure specific compliance wherever its operations are located.
• Conducting an internal data processing and compliance audit throughout the group to compile a Register of Data Processing Activities.
  • Identifying the controller(s) (both intra-group and third party).
  • Identifying the processor(s) (both intra-group and third party).
  • Ensuring appropriate legal grounds exist for each data processing activity, for example:
    • sending unsolicited commercial communications;
    • data transfers to third party processors; or
    • international data transfers.
• Implementing systems to ensure only authorised employees have access to personal data.
• Ensuring that appropriate data security levels exist within the group and appropriate arrangements have been put in place with third party processors.
• Preparing and providing appropriate privacy notifications (for example, to employees, job applicants and customers) regarding the company’s processing activities.
• Providing and maintaining an annual training programme for employees with access to personal data within the company.
• Ensuring that any business processes and systems are designed in compliance with applicable privacy requirements, paying attention to data access, storage and retention practices.
• Updating the Data Protection policy and building data protection principles and measures into all existing policies and procedures including contracts employment and related HR policies.
• Carrying out privacy impact assessments, if required or appropriate, on relevant business processes, systems and products to ensure compliance with privacy requirements.
• Planning ahead for mandatory breach reporting to the ICO including a data breach policy and incident reporting plan
• Maintaining the compliance programme and create ongoing processes for audit and review.

The Brexit uncertainty continues. Once (or if) the UK leaves the EU and any relevant transition period expires, the UK will become a “third country” for the purposes of data protection law. This status will have a number of significant practical consequences for international data protection compliance programmes, in particular in relation to international data transfers, competent supervisory authorities and enforcement of the GDPR.

Organisations should obtain legal advice in relation to their organisation’s specific duties and responsibilities. Louise McAloon is a Partner specialising in employment & GDPR law in Worthingtons Solicitors, Belfast. For legal advice or details of seminars, policies and staff training packages available please telephone 028 90434015 or email [email protected].