We’re now two weeks away from the introduction of the upcoming General Data Protection Regulation coming into effect on 25th May 2018. It’s the first major shake-up of data protection law since the EU brought in legislation in 1995 and it will significantly change the way businesses and public sector organisations can handle the information they hold on their customers. This change will affect the processes of every business and each department, including the IT department.
Under the GDPR, there are new rights for people to access the information that companies hold about them, obligations for better data management for businesses, and significant consequences for failing to comply. Anyone found to be in breach of the new legislation could face fines of up to €20m or 4% of total annual revenue (whichever is higher).
From an IT perspective, the GDPR demands more focus on Information Security, moving towards a ‘secure by design’ approach with information security at the heart of every product, every service, every contract and every decision. The penalties for getting it wrong are not just financial but also reputational with the potential to impact operational and service delivery issues that reach far beyond any breach.
Given this, the new regulations will affect every department in an organisation, but IT professionals will be particularly responsible for ensuring compliance by ensuring data protection is at the core of all processes.
So what can be done to prepare? There are a number of points to consider:
1. Raise awareness
There will be many different people and teams within your organisation who have access to data. Everyone needs to be aware of GDPR and what it means for them, so ensure that you communicate effectively and bring everyone up to speed before 25th May 2018.
2. Map your data
What personal data do you hold? Where is it kept? Where did it come from? How was it collected? How is it shared? How long do you keep it for? These are all questions that you will need to be able to answer, so get thinking about every way in which you use data in your day-to-day tasks and map it out so you have a complete picture.
3. Review privacy notices
Under the GDPR organisations will need to provide a little more detail than what’s currently required in their privacy notices. Under the current Data Protection Act (DPA), businesses provide information such as identity and intent of use when collecting personal data, but to comply with the GDPR you’ll need to include some additional details such as your data retention periods and will need to explain that individuals have the right to complain to the ICO about your handling of their data. All this information needs to be put across in a concise and easily understandable way.
4. Individual rights
GDPR will vastly expand the rights of data subjects and organisations must be able to demonstrate that they can handle requests for personal data within the legal timeframe of 30 days. To be compliant, you should be able to show that you can validate the identity of a person who requests access to the data you hold on them, as well as trace and search for that data and export it in readable formats.
5. Lawful basis for processing
Every organisation will be required to assign a legal basis to each type of data processing activity they carry out. The purpose for this is to help ensure no personal data is collected or retained beyond the minimum necessary for each specific purpose of the processing, and that data is not processed for any reason other than that which it was collected for or sold on to third parties.
GDPR will change the rules around consent to process data. If you currently rely on obtaining consent to process an individual’s data, you need to make sure the way in which you seek, record and manage that consent meets the GDPR standard. Any consent that you seek will need to be specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
7. Data security & breaches
With the increase in the number of data security breaches happening globally, the GDPR will seek to ensure transparency from organisations when these breaches occur. Procedures should be put in place to effectively detect, report and investigate personal data breaches. Any breaches which are likely to result in a risk to the rights and freedoms of individuals will be required to be reported to the ICO.
8. Define your approach to privacy & data protection
As of 25th May 2018 it will be a legal requirement for all interactions between your business and any individual to be designed with privacy and data protection in mind. The appropriate data security measures should be in place and by default only the necessary personal data needed for a specific purpose should be processed.
9. Appoint a Data Protection Officer (DPO)
In order to be compliant, every organisation that carries out large scale monitoring or processing of data must appoint a Data Protection Officer. The DPO is responsible for making sure your organisation complies with data protection law and avoids the increasing risks when processing personal data.
10. Data transfers
As part of giving individuals greater rights to access data which a company holds on them, organisations must be able to easily transfer this data in a structured, commonly use and machine-readable format. Individuals will be allowed to submit requests for their personal data at any time and you will need to be able to send it to them within the legal timeframe.
Here’s some sources to help you with your GDPR compliance journey:
What is GDPR? The summary guide to GDPR compliance in the UK
Guide to the General Data Protection Regulation (GDPR)
The DMA’s guide to GDPR
GDPR: Ten easy steps all organisations should follow