The new general Data Protection Regulations come into force on 25 May 2018. Start preparing now.
The Information Commissioner Elizabeth Denham says that there is no time to delay in preparing for “the biggest change to data protection for a generation.” The GDPR will still apply when Britain leaves the EU. So what does it mean for you?
INTRODUCTION TO THE NEW REGULATIONS
The GDPR is similar to the Data Protection Act, with some additions. There is also a new accountability requirement, which is the most important addition. If you are subject to the DPA now, you will probably be subject to the GDPR.
The GDPR applies to ‘personal data,’ but in the GDPR, the definition of personal data is more details, and even things like an IP address can be personal data.
For most of us, if we hold information such as HR records and customer lists, this change should not make any difference to the way we handle data already.
The GDPR applies to both automated and manual records where personal data are accessible according to specific criteria. Importantly, even if personal data has been given a pseudonym, eg a key-code, it can still fall within the scope of these regulations.
The GDPR requires that you show how you comply with the principles. I’ll go into this in more detail in a later post.
Article 5 of the GDPR states that personal data must be:
(a) Processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) Collected for specified, explicit and legitimate purposes, not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
(d) Accurate and, where necessary, kept up to date. All reasonable steps must be taken to ensure that personal data that is not accurate in relation to the purposes for which they are processed is erased or remedied without delay;
(e) Data must be kept in a form which permits identification of subjects for no longer than is necessary for the purposes for which it is processed.
TWELVE STEPS TO TAKE NOW
1. Make sure that the managers and key decision makers are aware that the law is changing. They all need to be aware of the actions they need to take and the implications. If you haven’t already, sign up to this newsletter for further developments.
2. Create one central list of all the personal data you hold, where it came from and with whom you share it.
3. Review your current privacy notices and, if necessary, put a plan in place to implement any necessary changes before May 2018.
4. Check that your procedures cover any rights individuals have. This includes how you would delete personal data and how you provide data electronically.
5. Update your procedures and plan how you deal with subject access requests – there are new timescales and you may need to provide more information.
7. Review how you seek, record and manage consent to any content, eg mailing lists. Do you need to change anything? Does everyone on your mailing list want to be there? If not, remove them, now.
8. Do you need to put systems in place to verify people’s ages? To obtain parental or guardian consent for any data processing activity? Start thinking about this now.
9. Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments and the latest guidance from the Article 29 Working Party. Then work out how to implement them in your organisation.
11. Designate someone to take responsibility for data protection compliance and assess where this role will sit in your organisation’s structure. Decide where it will fit in the governance arrangements. Are you formally required to designate a Data Protection Officer?
12. If you operation is in more than one EU member state, determine who your lead data protection supervisory authority is. The Article 29 Working Party Guidelines will help with this.