Under the EU General Data Protection Regulation (GDPR), your organisation’s legal data protection responsibilities are about to change significantly.
The new legislation enforces new rules about the way data is collected, used, stored and shared, and it applies to SMEs as well as large multinationals and public sector entities.
GDPR succeeds the current Data Protection Act 1998 (DPA) and it will be enforced regardless of Brexit.
The aim of GDPR is to give citizens more control over their personal data and to simplify the regulatory regime for business in a tech-driven era where massive volumes of data are processed daily.
By May 2018 the EU and Information Commissioner’s Office (ICO) expect your firm to be fully compliant, and possible fines for breaches can run into millions of Euros.
So taking a few firm steps towards GDPR compliance should keep you safe and sound.
Does it affect me?
Whether you’re a sole trader or large corporation, compliance is mandatory.
It applies to all of the personal data about individual people collected and processed in its territorial scope, whether this data is stored electronically or on paper.
These principles apply under the current regime and will still apply under GDPR.
The ICO’s glossary of key data protection definitions will get you up to speed with the status quo. All these terms are still used in the same manner under GDPR.
What’s changing under GDPR?
The current data protection principles require that personal data:
- is processed fairly and lawfully
- is kept accurate and up-to-date and processed in a way that’s relevant
- is used only for the manner in which it was intended for
- is not excessive
- is processed in consideration of an individual’s rights
- is protected by appropriate security measures
- is not transferred to territories outside the EU that don’t apply adequate data protection measures.
These principles still apply under GDPR, with some important tweaks.
GDPR extends the definition of personal data to include genetic data like DNA, biometric data, location data and online identifiers like information gathered from an online service that could identify the person, for example social media logins, check-ins, purchase histories and analytics records.
Pseudonymous data is a new definition covering data where the personal identifying data is removed and stored separately.
GDPR requires stricter privacy policies, more efficient reporting of data breaches, more stringent awareness of processing children’s data and more awareness of consent.
Subject Access Requests (SARs) currently allow individuals to request that organisations confirm if their personal data is being processed, the purposes and categories of any data being processed and the recipients of the data and the logic behind any automatic processing decisions made using the data.
Requesters are also entitled to a copy of their data held in any form, although it’s likely that personal information of third parties will be redacted.
The same right applies under GDPR but organisations can typically no longer charge a fee. The lead time for completion is now a month instead of 40 days and additional information including retention periods should be included.
In simple terms, this means that your data protection lead or information governance officer might become significantly busier with SAR duties.
How do I prepare for these changes?
Privacy by design ensures that data protection considerations are built into every process, project and procedure a business undertakes, so protection of personal info is always prioritised.
This concept was best practice under DPA but wasn’t mandatory.
But under GDPR, privacy by design is enforced by law.
The ICO’s 12 step guide to GDPR preparedness is a must-read, but you can get started right now by taking these three crucial steps:
Designate a Data Protection Officer
Depending on the size of your organisation and the nature of your operations, you might need to employ a suitably qualified Data Protection Officer (DPO).
If you’re not sure whether you need to designate a DPO, the best advice is to presume you do.
Some firms won’t need to employ a DPO, but it’s still crucial that an internal member of staff adopts the role of information governance/data protection lead and is trained formally and appropriately.
Firms who don’t need a full-time DPO are still regulated by the same rules and to the same standards. Fines for non-compliance can be 20 million Euros or four per cent of global turnover.
Whatever sector you operate in, it’s worth at least investing in training a current staff member so they can develop expertise in this area and ensuring they’ve enough support and time to oversee, implement and enforce your data protection policy.
Complete a data protection audit
You might not know what information your organisation currently holds, where it’s held, why you have it and how long you should hold it for.
Performing an audit using the GDPR definitions, ICO advice and your own data protection policy as guidance allows you to check whether you’re compliant right now.
If you find shortcomings after your audit, you’ll recognise the areas of improvement that can be remedied immediately.
After all, it’s preferable for you to ensure you’re running a tight ship rather than hearing about failings following an ICO investigation.
Inform customers, clients and stakeholders about consent and legal basis
In almost all cases, an individual’s consent is required if you’re going to collect and process their data.
If consent isn’t required then your use of their data must be justifiable by law.
In either case, you should make your GDPR compliance, consent and/or the legal basis for collecting any data crystal clear to any data subject at any point it’s collected.
If you already have consent systems in place under DPA, these should be replaced and updated with the relevant GDPR information.
If you haven’t considered GDPR preparedness, these three steps will set you on the right footing and ensure peace of mind before May 2018.