Data protection law update
The General Data Protection Regulation: stop worrying, get a plan and get moving
The new GDPR contains critical obligations, and while there is still time to meet the deadline, you need to act now, according to Paula Tighe.
About the author
Paula Tighe is the information governance director at Wright Hassall, Warwickshire.
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, and while it may still feel a long way off, most businesses will need months of work to ensure that they are compliant. It is essential that the key people within your organisation understand what effect the GDPR will have on it, and just how much work might be involved: this is not a tick-box exercise that can be left to the last minute, and the consequences of non-compliance could be grave.
Regardless of the size of your business and the amount of data involved, the basic principles will be the same, and it starts with a comprehensive plan agreed between the people who will need to drive through the necessary changes.
And the fact that the UK is leaving the EU does not alter the requirement to comply. Remember, it does not matter where in the world your data comes from, if it is used, recorded or processed in the EU, you will still have to comply with the GDPR.
The first step is for you to ensure that all the decision-makers in your organisation understand that the law is changing and that the implications for non-compliance are serious. You also need to record the process of meeting the regulatory requirements; this will help to mitigate any risk of incurring penalties for noncompliance post May 2018.
This record is your Data Register, and should include what personal data you hold currently and the reasons for processing it, including where it came from and with whom you share it. This will help you comply with the accountability principles of the GDPR, which require you to have effective policies and procedures in place.
Compliance will require an understanding of the reasons you do things and how you do them, rather than necessarily stopping you doing them. Make sure that you review the following:
- your processes for searching for, capturing and recording personal data, including how you obtained consent from the individuals concerned;
- your existing digital- and hard-copy format privacy notices and policies (ie, are they concise, written in clear language, easy to understand and easily found?) and;
- how you communicate these notices and policies with data subjects, ensuring that you explain your reason for processing the data, how long you will keep it, and how individuals can complain to the Information Commissioner’s Oÿce if they think that you are doing something wrong.
Individuals will have more control over their personal data under the GDPR. Check your procedures and amend if necessary, detailing the format in which you will provide data, how you will delete it, and how you will correct mistakes. Individuals also have the right to have their information erased, and the right to be forgotten. You must be able to prove that you have a process in place to comply with such a request, if challenged in the future.
Perhaps one of the key drivers for the changes is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.
Having transparent procedures in place will go a long way towards heading off any future problems with the regulator, regardless of complaints or investigations. Remember, if your organisation handles personal data correctly under the current Data Protection Act 1998, the switch to the GDPR should pose no real problems.
If an individual makes a subject access request (ie, to see what information you hold on them) you must be able to comply within one month and for which you cannot charge. You can refuse to comply if you think that the request has no merit; however, you must tell the individual why and that they have the right to complain to the regulator. Key areas to remember are as follows:
- To have a procedure to identify requests and to assess if they are excessive (which may make them impossible to respond to); and
- To have a transparent approach to acknowledging and disclosing the data in accordance with the GDPR.
Again, in all reality for small and medium-sized enterprises, it will be more important to show a willingness to comply by endeavouring to put in place all the necessary steps, and recording the process in the data register, than it will be to be fully compliant on day one.
This sounds simple, but might in fact be one of the trickier areas of the GDPR: consent for personal data to be captured and used for more than just contact.
Although an individual must give clear consent for their data to be used, they must be allowed to revoke their consent, at any time, just as easily. And, if you change the way you want to use their data, sharing it with a new partner for instance, you must obtain a new consent.
Again, while consent can never be inferred and must be implicit, your attempt to obtain and confirm consent - even if you do not receive a reply - will help mitigate any future problems at the hands of the regulator.
Under the GDPR and when you are obtaining and processing personal and sensitive categories of data, you need to record how this data will be retained and under what condition; for example, is the retention period required for legal, regulation and/or organisational purposes?
The new regulation brings a requirement for all businesses affected by the GDPR to not only have a retention (ie, data minimisation) policy and schedule, but to carry out mandatory privacy impact assessments (PIA) if they want to process personal data as part of normal business practices, or if such data is to be processed on a new technological or information society system, or if it contains sensitive categories of data.
These assessments will help you decide what are the likely effects on the individual and mitigate any risk, and help you to build in ‘privacy by design’ in how you obtain and process individuals’ data. Ensure that you have a robust process for making the assessments, and then record it along with the outcome: a PIA is a simple step towards compliance, with the emphasis on what you do rather than on what you say you will do.
If you monitor routinely or process personal data on a large scale, you should appoint a data protection oÿcer who understands the GDPR and how best to drive your data privacy processes. But it does not necessarily have to be someone within your organisation: smaller businesses might choose to appoint an appropriate individual on a part-time or consultancy basis. It is also important to ensure that all your staff are trained on the correct handling of personal data.
It is not just electronically held data that can pose a problem: you need to be aware of other data records, including index cards held within your organisation, these too are covered by the GDPR.
Record how you handle each step of the process in your data register. In the event of a complaint or a data breach, it will be those organisations that are unable to demonstrate what they did to assess risk and mitigate it that will suffer; those organisations that make an effort will have their work recognised, even if they are not fully compliant with every aspect of the GDPR from the word go.