Information drives an organisation’s ability to grow and develop.
There have been a number of organisations who have been affected by data breaches and their reputations or finances damaged as a result. TalkTalk’s breach of October 2015, cost the company £60m pounds, they lost 100,000 customers and received a fine from the Information Commissioner’s Office (ICO) of £400,000. It doesn’t just happen to big companies though, ransomware, spyware and malware are threats to organisations of all sizes.
The current Data Protection Act (DPA) has been in place since 1998 and has needed to be updated for some time – technology’s changed a lot since then, we’ve entered the ‘Digital Age’ – the General Data Protection Regulation (GDPR) does just that.
The GDPR sets out good practice for dealing with personal information. The GDPR is European wide legislation, and despite Brexit, we will still need to comply. The GDPR looks to ensure that individuals have more control over how their personal information is used, shared and updated.
The good news is that lots of what you already do should meet the requirements of GDPR when it’s enforced from May 2018. Every organisation, regardless of size, will need to do some work if they use (process) information (data) related to even one person (individual) who is a resident of the European Union.
In the global economy of 2017 this means that GDPR will need to be complied with by a company in China with a database of EU customers as much as an accountancy practice in Wales holding client information. There’s an increasing view that GDPR will ultimately become a global standard as it makes little business sense to handle some client/customer information differently because of where they happen to reside.
A good starting point is the ’12 Step’ document issued by the Information Commissioner’s Office (ICO) who are responsible for enforcement of GDPR. The steps are summarised below.
- Awareness – make sure that everyone across your organisation is aware that GDPR is the law and will be enforced from 25 May 2018.
- Documenting the Information You Hold – potentially the most challenging task, so you need to start now. Recent research suggested that less than 1% of organisations knew precisely what individual data they hold, in what form and where.
- Communicating privacy information – You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights – You should check your procedures to ensure they cover all the rights individuals have, including how you delete personal data or provide data electronically and in a commonly used format.
- Subject Access Requests – You should update your procedures and plan how you will handle requests to take account of the new rules.
- Lawful basis for processing personal data – You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Consent – You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Children – You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Data breaches – You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments – It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement.
- Data Protection Officers – Most accountancy practices will not need a Data Protection Officer but some organisations because of the information they hold and process will need to make the appointment.
- International – If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
These are some actions you need to complete to ensure the way you work reflects the new regulation. The full ’12 Step’ document is available via the ICO website.
Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.