The Current Situation
As many of us will already know, if we use personal information we are likely to be subject to data protection laws that govern the way in which we are able to use that information. Whether we have a simple contacts and appointments book as a self-employed or freelance worker, post pictures on social media promoting our business or charity, or have many thousands of individual client records within a large business, we are likely to be required to comply with the Data Protection Act 1998.
While some organisations have excellent standards of compliance, I think it would be fairly safe to say that many remain unaware of their obligations under the legislation and, perhaps for some, even that the law exists or that it applies to them. Arguably that has been due, at least in part, to the minimal risks facing most from non-compliance. The Information Commissioner’s Office (ICO) can and does issue fairly significant fines, and we have recently seen Talk Talk given a record £400k fine for failing to appropriately secure personal information. However, for many, the circumstances that give rise to these headline-grabbing penalties are likely to seem a world away from their own operations.
What is Changing?
Every organisation that uses personal information should be aware that the most significant change to data protection law in decades is on the horizon. After a time of uncertainty, the way forward for the implementation of the General Data Protection Regulation (GDPR) seems to be emerging. The new EU Regulation on data protection was adopted earlier this year, becoming effective in all EU member states in May 2018.
Being an EU Regulation, naturally there was some confusion (and, perhaps for some, wishful thinking!) about whether it would actually come into force following the Brexit vote. However, we now have confirmation that the ICO considers the Regulation as being in force (just not in effect), as well as the widely reported proposal from the UK Government that all existing EU legislation will be transposed into domestic legislation by the Great Repeal Bill.
The UK Government may chose to amend some aspects of certain EU Regulations although in the case of GDPR, most are unlikely to be in a position where they can afford to wait and see what happens. With fines in the new legislation of up to an eye-watering 4% of annual global turnover or €20M, there can now be little doubt that it is definitely time to get started with changes required to implement the new standards. We also need to remember that the Regulation (in its current form) is highly likely to come fully into force before we leave the EU.
What Does My Organisation Need To Do?
This blog will help you prepare for the new data protection legislation and manage key risks to your organisations.
We will be issuing a regular blog that looks at the practicalities of implementing new requirements, draws together any relevant advice and guidance that has been issued, and keeps you informed on the meaning of any legislative change that could effect implementation. Topics that will be covered will specifically discuss some of the new GDPR requirements and will include:
- Implementing a breach reporting procedure that informs the ICO and people where their data has been put at risk;
- The practical implications of the “right to be forgotten”. Individuals can request, at any time, that information you hold about them is deleted and you must be able to comply with this request unless there are legitimate grounds to continue holding it, for example, for tax purposes. By implication, you will need to know what information you are holding, how long you need to hold it for, when you are able to destroy it, and provide confirmation it has been destroyed, which is arguably already a requirement under existing legislation;
- The meaning of “data protection by design and default”. Adequate controls to safeguard personal information must be integrated into systems and procedures from the planning stages, and in some cases will require a privacy impact assessment;
- Understanding the legal basis for processing personal information, which means you are able to justify, in terms of the legislation, why you are processing personal information. While this may sound like legal jargon, it is going to be an area that organisations will need to familiarise themselves with in order to comply and we will try to break this down into simple tasks. People will have a right to this information, and it will also need to be included in privacy notices;
- Following on from above, consent is one of the conditions for processing that you may be currently using the rules for the use of consent are changing. Again this is likely to be a major task for some organisations. Our blog will look at what procedures may require change and ways of integrating the obtaining of consent into existing processes that comply with the new legislation;
- Some organisations will require a data protection officer and we will look at their role and how that should facilitate compliance.
Key Action Points
There is some information available from the ICO’s data protection reform site and all organisations should start by reviewing the 12 steps for preparing for GDPR. At the very least, organisations should be looking at their compliance with the current legislation and taking action to address gaps. Building on the ICO’s guidance, two key tasks to get started on are to:
- Identify what personal data you hold, where it was obtained from and who it is shared with. As discussed above, you should also understand why you are
holding it (the purpose), how long you need to retain it for, and ensure it can be destroyed when it is no longer required; - Raise awareness of the new legislation within your organisation. Change is likely to require resources and senior management buy-in which will be supported by key people in your organisation fully understanding the risks.
As always, feedback and requests for topics are always welcome.
Liz has worked with data protection for nearly 20 years and helps organisation with managing their information as well as practical compliance with information-related legislation.
The material contained in this site and in this blog constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained in this site without first taking professional advice appropriate to their particular circumstances.