GDPR – General Data Protection Regulation, don’t click that little x or red box in the corner of your screen just yet….everyone needs to take note of these new regulations or your organisation is at risk of a big penalty, as much as 4% of your turnover.
As an individual you will have extra rights over your data that companies hold/use!
These regulations have been in the pipeline a while, I first heard of them over 18months ago. They have been debated for the last 4 years. You (as an organisation) now have less than two years to comply. With 25th May 2018 being the date you must be able to demonstrate compliance.
Despite the Brexit vote to leave the EU, in June this year (so much has happened on the economic and political landscape since then), companies in the UK still must comply with the regulation. Any organisation collecting / holding data on any EU citizen is affected by the regulations and must comply. These really are global regulations, if you consider the global village we all living and interacting with.
“The directive will affect every single business that holds data on customers in Europe, whether or not the business is located in Europe or is part of the EU.”
High level view of what your organisation needs
- To have solid data governance & data quality practices, policies and procedures demonstrating control of data from data accuracy, lineage, stewardship and accountability, integrity and the purpose of what data is used for
- The lifecycle of your data affected by the legislation
- The quality of the data for processing activities.
Initial steps – more detail later on steps to take now
- Assess the impact – what data do you have that is affected by the regulations?
- Where is this data sourced from?
- Why is it collected / stored?
- What happens to it after it is collected, which processes is it used in?
- How is your data achieved and for what period and why?
- Have a process in place for when a breach of data occurs – don’t take the view of if, but when then you will be ready to take the action and report the breach in the specified time window
Think Solvency II* ‘Plus’ as an example of the scope and complexity for your data management.
*Solvency II – EU Directive for the insurance industry. Primarily focusing on the amount of capital that insurance companies must hold to reduce the risk of insolvency.
12 Steps to Take Now
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
The Information Commissioner’s Office (ICO) has provided great resources to support your compliance with the regulations, including a checklist and what to do now.
The ICO will also be working closely with trade associations and bodies representing the various sectors – it is suggested that you should also work closely with these bodies to share knowledge about implementation in your sector. I support this approach as in the past I have implemented compliance to various directives including; WEEE (Waste Electrical and Electronic Equipment), Battery and ReaCH (Registration, Evaluation, Authorisation and Restriction of Chemicals) and Solvency II. Each time having the trade and industry associations by your side was invaluable, even if it was to provide reassurance. I have noticed a number of Linked In groups. Some better than others, check these out too. There is great advice and guidance being provided by some – Caveat Emptor must apply here, as I doubt the compliance administrator will let you off the penalty just because the Linked In group said something was correct.
It should go without saying, it is essential to start planning your approach to GDPR compliance as early as you can.
The GDPR/Article 29 working party will provide additional updates in the coming months on a number of areas listed below. These are denoted by an *.
Start with ‘buy in’ from key people in your organisation. Who will be your senior leadership/board sponsor?
Does your leadership know about the regulations?..I am aware that not all do at this time but the message is getting there slowly. You need to help highlight this new regulation. Start by asking, does the company have GDPR on its radar and risk register?
1 Awareness – Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You should particularly use the first part of the GDPR’s two-year lead-in period to raise awareness of the changes that are coming. You may find compliance difficult if you leave your preparations until the last minute.
2 Information You Hold – Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, across the organisation, or within particular business areas. The GDPR updates rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with. You should document this. Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.
3 Communicating privacy information – Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a *privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
Note: the recording of processing activities differs slightly if you have more than 250 employees.
4 Individuals’ Rights – Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. The main rights for individuals under the GDPR will be subject access requests
- To have inaccuracies corrected
- To have information erased
- To prevent direct marketing
- To prevent automated decision-making and profiling
- *Data portability
How you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?
5 Subject access requests – Update your procedures and plan how you will handle requests within the new timescales and provide any additional information. The rules for dealing with subject access requests will change under the GDPR. In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days.
6 Legal Basis for Processing Personal Data – Look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. You will also have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request.
7 Consent – Review how you are seeking, obtaining and recording consent and whether you need to make any changes. Like the DPA, the GDPR has references to both ‘consent’ and ‘explicit consent’. Consent also has to be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.
This is a key action for charities. Review how you are approaching people for funds, you will need their consent to continue to contact them. How will this affect future levels of funding?
8 Children – Start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. This could have significant implications if your organisation aims services at children and collects their personal data.
9 Data Breaches – Make sure you have the right procedures in place to detect, report and investigate a personal data breach. Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. However, the GDPR will bring in a breach notification duty across the board. This will be new to many organisations. Not all breaches will have to be notified to the ICO – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. Note that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
10 Data Protection by Design and Data Protection Impact Assessments* – Familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. This guidance shows how PIAs can link to other organisational processes such as risk management and project management. You should start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?
11 Data Protection Officers* – Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.
12 International – If your organisation operates internationally, you should determine which data protection supervisory authority you come under. Put simply, the lead authority is determined according to where your organisation has its main administration or where decisions about data processing are made. In a traditional headquarters (branches model), this is easy to determine.
Don’t forget these new regulations include all your internal data including HR and payroll information on your employees. Where is your payroll processed, is the organisation compliant?
Good luck with your implementation and remember there are lots of resources and information out there to help and advise. Start with the steps above and work slowly and logically through the needs and requirements.
More information can be found at:
Image credit: Atis Gailis