GDPR: a lot easier said than done
The European Union’s General Data Protection Regulation (GDPR) will come into force in fewer than 18 months. It’s the biggest change in privacy rules the UK has ever seen. Have you started to prepare?
The rules will give people more control over of their personal data. They also come with the potential for some hefty fines for companies that fail to comply: up to four per cent of global turnover or €20 million (£17 million) – whichever is greater – for each compliance failure.
Changes with the GDPR
Of course, we have had rules about data privacy in the UK for years. But a few things are changing with the GDPR:
- Under the old regime it was mainly data controllers that had responsibility for keeping personal data safe. Now if you are a data processor (and that means handling data in pretty much any way at all), you will share responsibility.
- Data collection will require clear affirmative consent for each separate use of the data – ready-ticked opt-in boxes are out!
- People will have new rights under the new rules, including the right to get a copy of the data you hold about them and also to have data deleted, or corrected if it is wrong.
- Some organisations that process personal data (including public bodies, organisations processing data about more than 5,000 people, organisations with more than 250 employees and organisations where the monitoring of people is a core activity) will need to employ an appropriately qualified data processing officer, who will provide independent advice.
- When high-risk activities are proposed (for example, the processing of data that could result in financial loss, identity theft or discrimination) you will need to conduct a data privacy impact assessment that identifies risks and mitigations.
- Data breaches must be reported to the data protection authority (the ICO in the UK) and also to the victims (unless the data was encrypted or there is no likelihood of serious damage to them). There is a time limit within which this must be done and a requirement to have the ability to detect personal data breaches.
Getting ready for GDPR
This needn’t be too worrying. The steps you need to take to ensure your business stays within the rules are not difficult. But you probably need to start now, as there are fewer than 18 months to go before those fines come into play.
- Identify any personal data that you hold. You will need to know how you got it and what you currently do with it, including who you share it with (that will include any cloud computing services you use). This is likely to require an audit that could take some time.
- Look at how you are currently obtaining consent to use personal data, including the information you give people at the time of collecting the data, and review whether this will be legal after May 2018. If not, you will need to make changes.
- Look at your data handling processes and make sure that you can handle requests from people about their data. This may include deleting their data from cloud computing services, so check whether you can do this and how long it takes (don’t rely on the assurances people make – check it in reality).
- Make sure you can verify the age of children if you are collecting data about them, and that you have processes to gain parental consent where required.
- Formalise your data protection policies and processes – and keep records of your decisions and why they were made.
Do you have the knowledge you need?
Protecting personal data privacy has always been a serious compliance and ethical issue for organisations. GDPR just makes this issue a little bit harder.
So if you feel you need to know more, why not join Emma Burton of the Privacy Consultancy and Jeremy Swinfen Green from TEISS Training for a full day workshop on 21 April.