Most of us are familiar with the Data Protection Act which came in to force back in the 1990s, but are you aware that as from 25th May 2017 organisations must begin to prepare to adhere to the new, Europe-wide General Data Protection Regulation (GDPR)?
The GDPR supersedes the Data Protection Act (1998), and its broad scope covers any company or organisation that deals with any European country; whether or not the organisation has any physical link to a country. If an organisation wishes to trade with customers inside the EU it must abide by the new rules that are being rolled out over the next 12 – 24 months. No matter how the UK exits the European Union, it has been made clear that the Regulation will still come into force. The UK may make its own Data Protection Regulation, but it will be not significantly depart from the European framework, and so for the time being it makes sense for UK companies to work with the current new legislation.
If your organisation is up to date with the current Data Protection Act, then this will stand you in good stead when preparing for the implementation of the new Regulation, however if your data protection policy is not suitably current or strong, then you have time over the next year to get things into place and make sure you are ready for the 25th May 2018 deadline when the GDPR will become mandatory.
There are 10 key areas that organisations need to take into account as soon as possible to be prepared for the Regulation’s introduction:
1) Be aware: Decision makers within all companies should be aware of the forthcoming changes and make sure that they understand the impact it could have on their business. Implementation of the GDPR could have significant implications regarding resources; particularly in the case of large companies and organisations. Small companies will also have to adhere to the rules so commencing a study of how the Regulation will affect you is a sensible approach to take at this stage. The Information Commissioner’s Office has a range of guidance and information that can be useful when understanding the implications of the new Regulation.
2) Information and Privacy: All organisations must be aware of the data that they currently hold and ensure that it is up to date and accurate. Any information that they share with other organisations must also be documented and any inaccuracies must be corrected and the information of those changes must also be passed on to other authorised users. The idea of the GDPR is to update the rights of consumers for the networked world where information can be shared widely. Ensuring that the information is up to date and properly documented, as well as ensuring that appropriate security measures are in place for the holding of the information is fundamental within the Regulation. As well as managing the data that an organisation holds, there are changes in the information that must be given to consumers whose details you have access to. This includes informing them of the legal basis for processing the data, how long that information will be held, and giving clear guidance on how they can complain to the ICO if they feel that there is a problem with the information. It is important to note that all information and guidance given to consumers must be provided in concise, easy to understand language.
3) The rights of individuals: Organisational procedures must ensure that they cover all the rights of individuals including how they can have their information deleted or provided to them in a format that is easy for them to use. The primary rights for individuals under the GDPR include:
- Subject Access
- To have inaccuracies corrected
- To have information erased
- To prevent direct marketing
- To prevent automated decision-making and profiling
- Data Portability
In general the rights of individuals under the GDPR are very similar to those under the Data Protection Act, but there are some significant additions, in particular with regard to data portability. Any information requested by a consumer about himself or herself must be provided in a commonly used, easily accessible format.
4) Subject Access: There are some significant changes with regard to subject access requests. Organisations will no longer be able to charge for complying with a request, and the timescale for releasing information has been reduced from 40 days to just one month. There will be different grounds for refusing to comply with a subject access request; if you wish to refuse a request you will need to have policies and procedures in place to demonstrate why the request is to be refused. Information must also be provided when people make requests including the right to have information deleted or corrected, and information about your data retention periods.
5) Legal Basis: It will fall upon organisations to identify the legal basis for them holding information about individuals. Under the new legislation, while you may have the consent from individuals to hold information about them, you must identify the legal basis for holding that data, and document those reasons; this falls within the scope of the accountability aspect of the Regulation.
6) Children and Consent: Similar to the Data Protection Act, the GDPR has references to ‘Consent’ and ‘Explicit Consent’, although it is not clear as to the difference between the two as both forms of consent must be specific, informed, unambiguous and freely given. Consent cannot be inferred by pre-ticked boxes or inactivity, but must be actively given. When it comes to children, the GDPR brings in specific protection for the personal data relating to children (anyone under the age of 13 in the UK). Consent must be given by a parent or guardian for any information your organisation collects about children, including any information held within social media. In addition, any privacy notices intended for children must be written clearly and in language that can be easily understood by people under the age of 13.
7) Data Breaches: All organisations must ensure that they have the correct procedures in place to deal with a personal data breach, including how it is detected, how it is reported and how it will be investigated. Under the current law, some organisations are required to notify the Information Commissioner’s Office if they are subjected to any kind of personal data breach. With the GDPR there is a ‘breach notification duty’ across the board, although not all breaches need to be referred to the ICO, only those that risk some form of damage to the individual; such as identity theft or a confidentiality breach. Failure to report a breach could lead to a fine in addition to being fined for the breach having taken place. Organisations must implement procedures to handle a data breach at all levels; whether local, national or international.
8) Impact Assessments and protection by design: Data Privacy Impact Assessments (DPIA) are recommended in any high-risk situation such as the deployment of new technology or use of a profiling operation that could significantly affect individuals. These should be linked to other organisational processes such as risk and project management and taken just as seriously. Whereas the Data Protection Act suggested that privacy and data minimisation were an implicit requirement, the GDPR makes this an express legal requirement: systems must be designed with privacy as the fundamental basis.
9) Data Protection Officers: All organisations should designate a Data Protection Officer (DPO). In small organisations this can form part of another role and does not necessarily have to be an individual’s primary job, but there should always be someone who is in charge of data management and security. This role can be performed by an external contractor if the company does not have a suitably qualified individual within the company. In larger organisations, particularly those who hold or process large volumes of personal data, the role of a DPO is crucial, and they must have access to the highest levels of senior management, including the board of directors. While they don’t have to hold any particular qualification at present, they must have a thorough understanding and knowledge of data protection law, and the support of senior management in the performance of their duties.
10) Global Enforcement: If an organisation has a single head office from where all decisions and management are based, it is clear which data protection authority it will come under. However with the current trend of multiple offices and sites across the globe, companies must be clear as to which areas of their trading comes under different protection authorities, and must determine their ‘main establishment’ which in turn will identify their lead supervisory authority.
At Freeman Fisher we can offer you support and assistance in the implementation of the new Regulation. If you have any questions or need some guidance on how your organisation can prepare itself for the GDPR then contact us today and let us see how we can help your organisation make the best of these new opportunities.