Big Change is Coming Down the Line – the General Data Protection Regulation

The General Data Protection Regulation (GDPR) represents a seismic shift in the way businesses will be allowed to process data. Any railway business that deals with data relating to EU citizens will be affected. From marketing to how you hold data on your employees, the regulations have far-reaching implications. In this article Ben Travers, Head of Intellectual Property and IT Legal Services at Stephens Scown explains some of the key changes.

Ben Travers

Although most businesses are likely to have heard about GDPR, there is a significant amount of confusion about what businesses need to change to comply. And there is a lot at stake. Fines for breaches will be up to 20 million euros or 4 per cent of the business’s annual worldwide revenue. The legislation will come into force on 25 May 2018, so many businesses have been working hard to get their house in order in time.

Start with the right mind-set

The starting point must be to ensure you have the right mind-set when dealing with data. Although personal data (i.e. data which identifies a living individual) might sit on your organisation’s server that does not mean it is your data. Instead, you use it with the consent of the data subjects, within the scope of that consent only.

In order to get started on a GDPR compliance journey, the first step is to undertake a data mapping exercise by auditing your data. You need to work out where data originates from, where the consent for its processing is, where data is shared with third parties, how it is used, etc. You can then identify where work needs to be done to clear up any consents, change IT practices and liaise with third party suppliers.

While many businesses mistakenly believe that GDPR only relates to marketing information, the actual remit is much broader. For example, it dictates how you use employee data. If your business uses a third-party payroll company, you must first make sure employees are aware and secondly that the contracts with the payroll company are GDPR-compliant.

This compliance of contracts needs to be replicated across all third parties who receive data. For railway businesses this may include marketing companies, website hosting companies and group companies for example. This contract review tends to be one of the biggest pieces of a GDPR compliance programme.

Any idea that GDPR is simply an IT problem or an HR problem alone is missing the bigger picture.

IT does have an important part to play and it is essential that all systems are compliant. It is also essential that the legal agreements with IT providers are reviewed and re-negotiated if necessary to ensure they are GDPR-compliant.

The HR element is also significant. Over 90% of data breaches are due to human error. You can have the best IT systems in the world but still be breaching GDPR regulations if employees do not have secure passwords. For this reason, training is very important. GDPR requires that staff are trained on how data is used in a compliant fashion. The GDPR also requires that policies are updated and that staff are trained on them.

Roadmap to GDPR compliance

For most organisations GDPR compliance will take some time to achieve, there is no quick fix. As a general roadmap businesses should consider taking the following steps:

1. Conduct a data mapping exercise – identify what you own, where it sits, how it is used, etc.
2. Obtain consents where they are needed and lacking.
3. Review agreements with third parties who have access to data (such as marketing companies, email hosting companies, etc.), re-negotiate these or find another supplier if appropriate.
4. Ensure your customer-facing agreements, employment contracts, policies etc. are updated and are compliant.
5. Consider deleting data that cannot be cleansed to make it compliant.
6. Ensure staff are trained.
7. Ensure that you have a breach policy (breaches need to be reported to the ICO within 72 hours). It is essential that HR engenders a culture where people feel comfortable disclosing the breaches.
8. Have a central point of contact within the organisation who understands data protection and can deal with queries as they arrive.
9. Ensure that all new projects (including software, builds, use of third party suppliers, etc.) are built with “privacy in design”. This needs to be documented in the same way that you would conduct a health and safety assessment.

The legal changes for GDPR are relatively straightforward; the ramifications for how businesses deal with data are not.

Ben Travers is a partner and head of intellectual property and IT at Stephens Scown LLP. If you have any questions about your business’s GDPR obligations, please call Ben Travers on 01392 210700 or email [email protected]. For more information visit www.stephens-scown.co.uk