Last autumn we shared some information with you about forthcoming changes to General Data Protection Regulations (GDPR), which are to be phased in from May 2018.
With just over a year before this comes into force you should be starting to prepare now – as non-compliance could result in a serious fine.
Looking after data which you collect, store and use in your business is a responsibility which you should already take seriously, and you should have already registered your activity with the Information Commissioners Office (ICO).
The new rules are designed to align compliance in British businesses with the same data protection laws in Europe and create consistency around data protection.
There are some points to particularly note in the new GDPR. For example, if you fail to report a data security breach within a 72 hour time slot it could result in a significant fine of up to 10 million Euros or 2 per cent of your global turnover. The GDPR also includes the storage of data in manual systems alongside digital and automated systems. Furthermore, you will also be required to demonstrate how you comply with the Regulation – not just say that you do. Any businesses which collect and process data relating to children will be required to seek parental consent.
This is by no means an exhaustive summary of the new Regulations – you should familiarise yourself with the requirements and keep up to speed with what’s been described as a ‘living document’ – with many of the details still yet to be fleshed out by the working party.
In essence the GDPR states that personal data shall be –
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Prepare NOW for GDPR
The ICO have issued a document which details 12 steps that you should take now in preparation for the GDPR. These include:
Awareness You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Information you hold You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Communicating privacy information You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Individuals’ rights You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Subject access requests You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
Legal basis for processing personal data You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
Consent You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
Children You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
Data breaches You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
Data Protection Officers You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
International If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
We hope that this article is helpful and it’s certainly a subject which we’ll be returning to again before next May. If you do require any further guidance on the subject please don’t hesitate to get in touch with us here at Jones Harris and we will put you in touch with one of our many business contacts who will be able to give you further detailed guidance.
Get the latest updates
Make sure that you’re following our website and sign up for the Jones Harris enewsletter here