GDPR legal advice: lawyers give their top tips for GDPR preparation

GDPR may be a bane for most businesses, but for data protection lawyers it's a bonanza. The 98-article data legislation is a legal minefield for laymen that only professional advice can safely navigate.

With just 100 days to go until GDPR takes effect, only one in 10 British companies have started their preparations according to government research.

They need to get cracking. Computerworld UK asks a selection of legal experts for their tops tips on GDPR preparations ahead of the 25 May implementation date.

Read next: How to prepare for the General Data Protection Regulation (GDPR)

Understand where it applies
iStock

Understand where it applies

The GDPR may be an EU legislation, but that doesn't make British organisations exempt. It will apply in the UK while the country remains in the EU, and be largely mirrored by domestic legislation after it leaves.

"The GDPR will come into force before Brexit so compliance will still be required for UK companies," explains Gabriel Voisin, a partner at Bird & Bird and GDPR expert.

"Even after Brexit, we will most likely live here in the UK in a GDPR and the E-Privacy lookalike environment."

The EU GDPR homepage explains who needs to follow the new rules: "If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not the UK retains the GDPR post-Brexit."

Map your data
iStock

Map your data

Identify and document where all your data is held and how it is processed. GDPR applies to all personally identifiable information.

"It's important to make sure that US clients are aware of, and understand that 'personally identifiable information' is not the same as the 'personal data' term that is used in the GDPR," says Voisin.

“The term 'personal data' is broader and covers information such as online identifiers, device IDs, cookie IDs, IP addresses, RFID tags. We are seeing a real gap of understanding about this, particularly between the EU and the US, so it's important these issues are ironed out."

Any such data obtained prior to the regulation can still be retained if it is in-line with the new rules.

"If it has been obtained lawfully under the current directive, companies can continue using it," says Tobias Guenther, senior legal counsel and data protection officer for Mapp Digital.

"Consents given under this directive will also not necessarily be invalid. The GDPR states that consents do not need to be obtained again or confirmed by consumers, provided they conform to the GDPR requirements."

Update data protection policies
iStock

Update data protection policies

Existing data protection policies must be updated to meet the new standards enforced by GDPR.

The gaps identified when mapping your data need to be addressed and filled. Any changes and new policies should be documented and disseminated throughout the organisation.

Establish the legal basis for any processing
iStock

Establish the legal basis for any processing

GDPR offers six legal bases for data processing. The data subject's consent; rights given under the performance of a contract; compliance with legal obligations; protecting the vital interests of a data subject; public interest; and declared legitimate interests.

Organisations should document the lawful basis for any processing and inform data subjects of which one applies to them.

Conduct a risk analysis to avoid the new fines
iStock

Conduct a risk analysis to avoid the new fines

GDPR infringements can result in fines of up to four percent of annual worldwide turnover or €20 million, whichever is the greater value.

"The new regulation is a binding legislative act, whereas the previous directive set out data law goals to all EU countries," says Mapp Digital's Guenther.

"This means you might have been getting away with data law breaches previously, but you could be facing huge fines if you do not get your data in order before May 2018."

Review third party suppliers
iStock

Review third party suppliers

Audit your suppliers and revise any third-party contracts to ensure that all the data processing they conduct with your data are compliant.

"Do you have a data processing agreement in place for every third-party processing data on your behalf?" asks Guenther.

"Review which suppliers you use and if you have an agreement in place. If that's not the case, you need to get data processing agreements set up before May 2018.

"Regarding consumer consents, the GDPR says consent will only be given for certain data processing by a clearly identified person or party. Using unspecified third parties will result in invalid consent, so beware of this."

Learn the new marketing rules
iStock

Learn the new marketing rules

"In the UK, consent requirements in the direct marketing rules will not apply if you contact individuals to conduct genuine market research," says Bird & Bird's Gabriel Voisin.

"However, you cannot avoid them by labelling an email as a survey or market research if it is actually trying to sell goods or services.

"It's also important to be aware that certain EU countries such as Germany and France take a more stringent approach on the question of market research via email and consider that this type of activity is direct marketing."

Copyright © 2018 IDG Communications, Inc.