What is the GDPR?
GDPR is the general data protection regulation, a major change to the current data protection regulations which comes into force in less than a year on 25 May 2018. Although this is an EU regulation the UK will still be bound by it, whatever the outcome of Brexit. The aim of the GDPR is to bring data protection up to date and put in place regulations which acknowledge the changing nature of the data landscape, in particular the way in which data now flows freely over borders due to rapid technological development.
Why is data protection such a hot topic now?
The GDPR has been developed in response to an increasingly outdated data protection landscape, both in the UK and other EU countries. In particular, current regulations don’t effectively address the issue of vulnerability when data is shared between different countries with different levels of data protection in place. The GDPR will create a consistent data landscape throughout Europe and beyond to enable the secure free flow of data.
The GDPR also addresses fast growing concerns about cyber security. There have been a number of high profile cyber security breaches lately, some of which have been specifically aimed at the public sector. This has led to growing customer awareness and concern regarding issues of data security and people are increasingly questioning the way in which their person data is collected, processed and stored. One of the effects of the GDPR is to give individuals much greater visibility over their data by comprehensively improving consent processes.
Many organisations have security vulnerabilities in their IT systems that come about because security and privacy were an afterthought in the system design process. This leads to security holes and patchy repairs applied once systems are in use. GDPR addresses this by making the practice of privacy by design a legal requirement.
The volume of data that organisations collect and produce is increasing at an exponential rate. Individuals are increasingly aware of the volume of data that organisations can hold on them and concerned to ensure that they have control over that data. The GDPR addresses these concerns through the introduction of a ‘right to be forgotten’ and a ‘right to data portability’. The former enables data subjects to have their personal data ‘forgotten’ once it is no longer being used for the purpose for which it was collected, and the latter allows individual to acquire and reuse their personal data across different services.
Is GDPR just relevant to commercial organisations?
No. GDPR is relevant to any organisation that holds personal data on individuals. Personal data is defined as data which enables an individual to be identified, either from the information in the dataset itself or by combining that dataset with other datasets that might be available. A recent survey of 173 councils showed that more than 15% do not have any data protection training in place for employees who are processing personal data and a third do not carry out privacy impact assessments (PIAs) as required by the GDPR. Indeed, Norfolk Council was recently fined £60,000 for a data breach in which social work files were discovered in a cabinet bought in a second hand shop by a member of the public, so GDPR is just as relevant to public sector organisations as it is to those in the commercial sector.
Twelve steps to take now in preparation for GDPR
- You should make sure that decision makers and key people in our organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
- Information you hold. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Communicating privacy information. You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights. You should check your procedures to ensure that they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests. You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Lawful basis for processing personal data. You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Data breaches. You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data protection by design and data protection impact assessments. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 working party and work out how and when to implement them in your organisation.
- Data protection officers. You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a data protection officer.
- If your organisation operates in more than one EU member state (i.e. if you carry out any cross-border processing) you should determine your lead data protection supervisory authority. Article 29 working party guidelines will help you to do this.
How is Abavus preparing for GDPR?
We’re preparing for the GDPR in three main ways:-
- Ensuring that all platform changes comply with and exceed minimum standards as defined by the GDPR.
- Reviewing all our contracts and hosted services contracts.
- Ongoing discussions with customers to help them develop master data management strategies.
If you’d like to have a chat with us about how GDPR might impact your activities and how we can help you then please get in touch.