The EU’s General Data Protection Regulation (GDPR) was approved in April 2016 and takes effect on 25 May 2018. This will be implemented in the UK and is expected to be retained intact after Brexit. Within the UK the organisation responsible for advising on implementation and for enforcing the regulations is the Information Commissioner’s Office (ICO), and they have already provided a considerable amount of guidance on the preparations we should be making, including a “12 steps to take now” document. There is further guidance to come.
That’s handy, but in simple, practical terms what should we be doing about this now?
Firstly, let’s understand what the GDPR is about. The first article states “This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data”. Later on it defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Note the “destruction” at the end – the rules apply right across the board.
Within the GDPR there is a strong drive toward organisations carrying out self-assessment of their compliance. Let’s start with three distinct tasks that will be the foundations for a plan of how to implement everything else:
- Make sure that the key decision makers in the organisation – the owner/partners, the board or trustees, and the senior managers – are all aware that the 1998 Data Protection Act will soon be replaced by GDPR. These people need to understand that there are significant changes to the law, and that the responsibility for decision-making in this area, for all the policies, the data that is stored and any consent needed for it, the storage and security systems, and staff training rests with them. The colossal penalties for getting it wrong should be a clear indication of that. Even a small organisation with few staff and limited numbers of customers must prepare, and any that send out marketing emails should also be aware that the Privacy and Electronic Communication Regulations (PECR) are being updated, perhaps in time for implementation with GDPR in May 2018.
- Know, or find out what personal data your organisation holds. This needs to be properly documented, as you must be aware of where the information came from and who/what other organisations you share it with. It may be necessary to undertake an “information audit” to understand all of this, as it requires that you know not only what you hold, but also where you hold it – perhaps original paper copies, likely to have been transcribed into a computer and stored, maybe also stored in employees’ email, file systems and smartphones as well as the main data store or Customer Relations Management (CRM) system, and there may be backups of the electronic data and paper archives, and maybe photocopies of the paper somewhere too – and why you hold it. With this information you’ll be ready to start to investigate what changes may be necessary for GDPR.
- You need also to know why you are processing people’s personal data. You must have a legal basis for doing so, and this too needs to be documented both to help you comply with the GDPR’s “accountability” requirements and as the rights of individuals are dependent on it. When you update your privacy notice, and also if you answer a subject access request, you will need to explain your legal basis for processing personal data. The ICO again has advice on Lawful Processing.
I’ll write more about preparation – there is much more to it still, but this should be enough to get the thinking started. Should you want any assistance then please contact us.