TEISS’s Head of Consulting, Jeremy Swinfen Green, explains what organisations have to do to get ready for GDPR, the EU’s new rules on data protection, which become active in the UK exactly a year from now.
The EU’s General Data Protection Regulation will apply across the European Union from 25 May 2018. The Regulation, designed to give European citizens control over their personal data, strengthens the rules around data privacy in a number of important ways.
The Regulation is generally considered to be an appropriate piece of legislation. But it does present any organisation that holds personal data (which includes email addresses, photos and even computer IP addresses) with a significant challenge.
But before we think about what organisations need to put in place to comply with the GDPR, let’s get one thing straight: Brexit makes no difference!
The rules will apply in the UK for at least a year before Brexit happens. But even after Brexit the rules will remain. The “Great Repeal Bill” will keep most EU laws in place at least until individual laws are reviewed. And the Government has already promised that any new data privacy law will be very like the GDPR.
So we are going to have to comply with GDPR. And with substantial fines of up to 4% of global turnover, non-compliance can hardly be considered a “cost of doing business” anymore.
Planning for GDPR
With just a year to go, now is the time to start planning for GDPR, if you haven’t started already. There is plenty to do. And here are our 10 tasks that you need to start addressing right away. Because taken as a whole getting ready for GDPR is likely to take you several months, and quite possibly longer than a year.
1. Sell GDPR in at the top management level
There is a lot to be done to get most organisations ready for GDPR. Some things will be disruptive. Some will be time consuming. You are likely to need support from senior management to tackle people’s objections.
2. Check what personal data you hold, where it came from and who you share it with
This is likely to require an information audit across your organisation which could be complex and time consuming. Don’t just look for data in the obvious places. Consider back ups, software projects, employee emails, joint projects that use cloud computing – anywhere that personal data might be lurking
Make a special effort if you collect and hold data about children or “sensitive data” such as data relating to ethnicity, religion or health. There are particular requirements you will need to comply with, including getting parental permission for using children’s data
3. Check the legal basis that you use to process data
Once you have found all your personal data check whether you will be allowed to use it in future.
If you rely on “legitimate interest” to process data then check that this will still apply under GDPR. And if you have been using consent check whether it was collected in a way that will hold up under the new rules: if it doesn’t then you won’t be able to process it any more until you get consent.
Some data, such as work emails, that wasn’t strongly regulated under the previous Data Protection Act, now becomes the same as any personal data.
4. Review what you tell people when you collect their personal data
The GDPR has some specific and strong requirements for the “privacy notices” you must give to people when you collect their data, or when you use data that has been acquired from a third party.
There is a lot you must tell people but it needs to be delivered in a simple way, so using a layered approach where people can drill down for more information may well be appropriate.
5. Check whether your organisation will need a Data Protection Officer
Public authorities and any organisation engaged in the systematic and large scale processing of personal data will need to appoint a data protection officer (DPO). Check whether you will need one and if so what the requirements are for employing one.
6. Check whether there are circumstances where you will need to run a privacy impact assessment
Privacy Impact Assessments (PIAs) become mandatory under certain circumstances, such as when sensitive data is being processes. Make sure you understand when you need to run them, and how they should be run – for instance who needs to be involved.
7. Check that you can respond to people’s rights under the GDPR
People will have a number of rights. Foremost is the right to see the data you hold on them. “Data subject access requests” may be difficult to respond to manually, especially if you receive large number of them; so you may want to investigate an automated process.
There are a number of other rights people have including:
- To have inaccuracies corrected
- To have information erased
- To prevent direct marketing
- To prevent automated decision making and profiling
- To be given their data in a portable format
Review your ability to accede to all of these rights.
8. Make sure that you have the ability to detect and report data breaches
Not all data breaches will require you to report them to the ICO. But some will so make sure you know when you will need to do so. You could be fined if you don’t.
In some circumstances you will also need to report the breach to the individuals whose data has been leaked. Typically this will be when they are at risk of serious harm. Reporting breaches to large numbers of people could be expensive and this is where insurance can help.
9. Review your cyber security
Under the GDPR you will need to ensure that personal data is protected with appropriate technical and organisational defences. Compliance with standards such as Cyber Essentials or BS 27001 are likely to indicate that you have put appropriate technical defences in place.
Organisational defences will include things such as readable policies, regular training, and security awareness campaigns
10. Design data privacy into new processes
You will need to adopt a “privacy be design and default” approach to any new services or processes you develop.
“By design” means that considerations of privacy should be included right at the start of the design process. You will need to document that you have done this. “By default” means that any privacy options in a service offered to consumers need to be set on a high level, with the option given to the consumer to lower them if they want to.
Getting it right
Having a robust approach to data privacy that leads to compliance with the GDPR shouldn’t be difficult. But it will be time consuming and require some effort. If you need help with getting ready for GDPR then TEISS runs one day workshops that will help you get onto the right track.