Boiling down to the essentials in GDPR – Our first step in navigating this new regulation
There has been an awful lot of hype about the new GDPR regulations that are coming into play in May 2018 and I for one have been trying to get my head around it.
The GDPR, also known as the General Data Protection Regulations are changing and in a lot of ways are changing for the better. It is giving us, as an individual more rights to know what data is being held on us and to have the right to be forgotten. It is finally giving consequences for companies that sell and spread our data without our consent. We might finally even be able to get off that cold call list!
However, as a business, it provides a little bit more of a headache as like anything in life it is easy to pick up a trail of computerised and archive debris which we need to ensure we have permission for, regularly review and endeavour to archive safely and securely.
This is no easy task but a lot of people are suggesting that we see this as opportunity. An opportunity, to dust off the files and reconnect with previous clients, to evaluate all the information we hold and review what is actually necessary. Or are we simply just clogging up our disc space.
I was asked to try and get us ahead of the curve to ensure by early 2018 we are in a strong position to deal with this. It won’t be long before our clients will soon be asking us what we are doing and what data we hold but with every new venture, there is not always a clear path.
The first step I took was to get in touch with the governing body, the ICO who regulate this law and have released some guidelines, a 12 step plan to be precise to help companies navigate the changes.
The simplest one of all. If you are aware this is happening from the 25th May 2018 then you are currently ahead of a lot of people.
More laws are coming into place to protect our personal data which boils down to any data that can identify an individual, directly or indirectly. So this would include their name, personal email, personal number, personal address, image amongst other information.
Within your own organisation you need to start reviewing what personal data information you hold. The new GDPR regulations dictate that these records need to be maintained and regularly updated to ensure they are current and accurate. If you have shared these details with a third party it is your responsibility to inform them so all data can be updated.
The key ingredient to everything we do – you need to start communicating internally with your employees how to handle data correctly and start communicating externally how you deal with data within your company. Review your current privacy notice and check if you cover how, why and where you store your data, how long you intend to hold it, guide customers on their right to be forgotten and their right to complain to ICO if they feel there is a problem with the way you are handling their data.
4. Individual Rights
Check your procedures to ensure you cover all the rights individuals now have, including how you would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Some good questions to ask yourself – if someone asked for the information to be deleted is: Would your current systems help you to locate and delete the data? Who in your organisation will make the decisions about deletion?
5. Subject Access Request
Beware that customers now have the right to see what data you hold on them and you will no longer be able to charge for this service but to simply respond within 30days with the information requested in a concise, easy to understand language. So you may need to think about how this information could be contained and easily managed to allow you to do this.
In exceptional circumstances, you can refuse to do so if the requests are manifestly unfounded or excessive. However, this must still be done with the 30days and you must explain to the individual why you have taken this decision and that they have a right to complain to the ICO. I would also recommend liaising with the ICO before you take this step to ensure your reasons are supported.
6. Lawful basis for processing personal data
(I am still to wrap my head around this one) The ICO advises that you should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
Gather consent, this one sounds easy but imagine in the next few months when everyone will be reaching out to everyone and once the novelty wears off won’t our customers become numb to even the most cleverly spun consent letter? Will we end up having to delete client data as they are simply fed up of having to tick boxes and respond with their consent?
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. Minimum age of consent is currently 16 years old although I heard this was being moved to 13 years.
9. Data Breaches
Make sure you have the right procedures in place to detect, report and investigate a personal data breach. From May 2018 you will have 72hours to notify the ICO if you have had a breach which could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to a client. The ICO will then advise you on whether you will also need to notify the client. Failure to report a breach when required to do so could result in a fine which can be up to 4% of your annual turnover as well as a fine for the breach itself.
10. Data Protection by Design and Data Protection Impact Assessments
I am yet to get to this stage on the list but the ICO recommends that it is a good idea to carry out a Privacy Impact Assessment (PIA) as part of this.
11. Data Protection Officers
Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
This one is not really applicable to us (yet) but if your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
When faced with the above it can feel a little overwhelming particularly when you look at the client list and see how much data you need to account for. So, I attended Kidwells Solicitors Free GDPR Seminar to help me understand some of the grey areas without all the heavy jargon. You can hear what I learnt in the workshop on our episode 19 of our podcast or listen to an interview with Rebecca and Jeremy, the workshop hosts.
The main thing I took away is that you must make your policy relevant to you and your company. There is no official stamp yet on whether you are GDPR compliant, this will only come to be tested when you get a breach. It is not a case of if, it is a matter of when. Make sure you are making the relevant steps above and are only keeping what is necessary. If in doubt you can always contact the ICO on their helpline who offer free advice and policy reviews.
As you can see our GDPR journey has only just started and each of us will be taking a slightly different path to ensure we are compliant for May next year.
Image credit: Data Thief – Hacker – Cyber Criminal by Blue Coat Photos