By now everyone will have seen the headlines and heard the acronym many times, but in case you’ve been camped in a remote jungle for the last few months, major changes are coming to data protection rules in Europe through GDPR. The General Data Protection Regulation (or GDPR) will be implemented into the UK through the Data Protection Bill 2017, which is currently going through the parliamentary processes.
Under the new rules, data subject will get enhanced rights providing increased control over the collection and use of their personal data. There will also be further obligations on data controllers with a move towards greater accountability and additional record keeping. However, the overall principles remain the same and the changes are essentially incorporating what could currently be described as “best practice”.
Does It Really Affect Us?
Recent figures suggest that a substantial number of organisations do not think they will be actually affected by the rule changes and (un?)surprisingly 1/3 are unsure on where their data is stored. The reality is, however, that from 25 May 2018 any organisation that processes personal data will require to be GDPR compliant. “Processing” is defined very widely and includes holding, collecting, recording, amending, storing, organising, altering, using and deleting personal information which essentially means anything done with personal data will be covered.
A further substantial change, and certainly the one that has made most headlines, is the increase in potential fines to £18m or 4% of global turnover (well up on the current £500,000 level). It is important to note that this is the maximum level of fine, so not all businesses will be hit with that level of penalty. But it is clear that the days of budgeting to cover any potential data protection fine are gone and businesses need to be looking at getting GDPR compliant.
Steps to Take
It is clear that this is not something that can be ignored or even pushed back to next quarter. Organisations should start planning now and allocate resources (financial and organisational) to reviewing their databases. The following are steps which can be taken and should help in becoming GDPR compliant.
To fully comply with the new accountability and record keeping requirements, organisations will need to do a data audit to understand personal data currently held. It is important to identify all data sets held and organisations should consider looking at (i) what data it has, (ii) how it comes into the organisation, (iii) how it is used, (iv) who it is shared with and (v) when it is deleted or destroyed. All other steps will follow on from this so it is a critical step in getting GDPR compliant and should be started as soon as possible to give time for the other steps to be completed prior to May 2018.
Basis for Processing
Once an organisation has completed a data audit, it should consider the legal basis for processing information. Under data protection rules, there must be a lawful basis for all processing (either consent, contractual necessity, compliance with legal obligation, vital interests, public interests or legitimate interest). Different individual rights will arise depending on the basis relied upon, so careful consideration should be given to which basis is best for an organisation. As a general rule, consent should not be relied upon if possible to avoid any issues if an individual withdraws consent midway through processing.
Privacy Notice & Policies
The privacy notice will be one of the key pieces of information to be provided by any data controller, setting out what data is collected, how it is processed and who can access it.
Additionally, organisations will need to review policies and procedures to make sure they can respond to any requests within the given timescales (i.e. one month for access requests) and to monitor any breaches, deal with notifications within the short timeframe and mitigate any impact on data subjects.
Although final important step for initial compliance is to educate; there is little point getting all rules and procedures in place if those within the organisation are not aware or do not follow them. Organisations should make sure all staff are aware of the relevant rules and the rules should be actively enforced. Organisations might consider having someone designated to deal with data protection so staff know where to go to ask questions and to get answers.
So it’s not strictly a point for initial compliance with the new rules but it is important going forward, an organisation will not be able to just review once and never again. The above steps should be done regularly to see if there are any issues needing corrected or gaps needing plugged and check the current procedures in place remain fit for purpose.
For more information or help getting GDPR compliant, contact the Corporate Team at Blackadders.