The new rules
The European Union’s new General Data Protection Regulation (GDPR) will be implemented on 25 May 2018. The GDPR builds on the UK’s Data Protection Act 1998 (DPA) and gives individuals further rights than individuals have under current legislation.
To meet the GDPR, significant enhancements will need to be made to business processes, procedures and documentation.
All language used must be clear, easily understood and pitched at the user group. The aim of the new regulation is to put individuals in control of their personal data. Failure to enable this control could lead to fines of up to 4% of global turnover or €20m, whichever is greater.
Documents and processes
As part of the GDPR requirements, documents and processes have been enhanced to guarantee the protection of personal data. Some further details are listed below.
Consent under the new regime builds on the existing rules by stating that consent must be given by a positive action on the part of the individual. Having a pre-ticked opt-in box on a form does not comply with the regulation.
The consent text must be clear and specific, unrelated to other text (such as terms and conditions) and must name any third parties who have access to the data. Records of consent must be kept and information on how to withdraw consent must be easily accessible and understandable.
Subject Access Requests
A Subject Access Request (SAR) is a request by an individual to discover what personal data is held on them by the organisation. The request must be made in writing.
These requests will become more frequent as time goes by, so it may be worthwhile creating a form that could be used by the individual to give all the information necessary to identify that person and thereby allow the organisation to comply with the request.
The request must be dealt with within one month of receipt (the present rule is forty days), and although currently an organisation can charge a fee, after the implementation of GDPR, the first copy of personal data must be supplied free of charge.
The DPA required the privacy notice to display the name of the data controller, why the data is processed and other relevant information relating to the processing of data.
The GDPR goes further and states that the information should be written so that it is concise and easily understood, written with the user in mind, and provided free of charge
The notice should be tested by volunteers from the target group, rolled out when any amendments are completed and reviewed regularly, with feedback given.
Privacy Impact Assessments
Carrying out Privacy Impact Assessments (PIA), while not mandatory, is recommended to measure the impact on personal data of any projects or plans implemented by the organisation.
The project or plan could be new, or it could be enhancing an existing system. A new computer system, or an upgrade or enhancement of an existing computer system, where personal data is impacted, is one example where a PIA would be used. The PIA is designed to be a flexible process and therefore easily incorporated into an organisation’s existing procedures.
The use of a PIA could be the difference between the safeguarding of personal data and a data breach and potential fine.
The Information Commissioner’s Office (ICO) identifies the areas of an organisation’s business that need reviewing in a document titled the ‘12 steps to take now’.
The twelve steps can be broken into three distinct areas: information, management and procedures. By identifying the three areas, the tasks and actions can be distributed so that no single person is overwhelmed by the volume of work to be done. The suggested method of handling the implementation of GDPR is to create a steering committee.
To implement the changes needed, a good place to start would be to form a steering committee. The steering committee would oversee the whole project, identify and allocate tasks, monitor and document progress, helping to ensure that the GDPR requirements are met by the deadline date.
If there are not enough people within the organisation to form a committee, here are some options to consider. The organisation could team up with another that fulfils the same or similar function. For example, all chartered and licensed accountants have to name a person or practice who would take over the work in case of incapacity.
Other associations will have the same requirement, but even if it is not a requirement, an agreement between organisations to work together on projects of this size would always be a good idea.
Teaming up in this way would not only ensure that the workload is reduced and that more ideas and solutions are generated, but there would be familiarity, improvement and standardisation of processes and procedures between the organisations that could benefit both organisations and customers alike.
Another option would be to divide the tasks, information, management and procedures as below, and allocate time to work on the tasks identified.
Organisations will have to audit all personal information that they hold. The audit should cover what information is collected, how it is processed, where it is stored, who it is shared with, how long it is retained and when it is destroyed.
There is a fundamental question that needs be addressed: is the information needed at all? That question is very relevant to sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs or sexual orientation, which might be asked for, but may not be relevant to the service given to the customer or client.
All information on GDPR must be easily accessible, internally and externally, on a webpage, with links to important information and documents as necessary.
Management will need to understand the resourcing implications of firstly, meeting the GDPR requirement, and secondly, maintaining and monitoring compliance. Appointing a senior level manager to oversee and take ownership of the GDPR will indicate that the organisation is committed to the regulation and sees data protection as paramount.
A programme of staff training will need to be implemented. This should happen not only on the initial implementation of the enhanced procedures but regularly on an ongoing basis.
Third party audits and contracts will need to be actioned by management to ensure the protection of any personal data accessed by third parties. Again, having a named manager at senior level authority over the whole process will give it the importance and formality needed. This commitment is very relevant in the event of a data breach, given that there is a legal requirement to report the breach within 72 hours of it becoming known.
All procedures will need to be documented and reviewed for compliance with the current DPA, and either enhanced or created for meeting the individual’s rights to data access, data amendments and data deletions. For example, because the timescale for complying with SARs has been reduced to one month, existing procedures must be amended or new ones written to encompass this change.
The deadline is only nine months away – not a lot of time given the amount of work needed to meet the requirement. Taking a calm and ordered approach, though, will go a long way in meeting the goal, beginning with understanding what is in involved. Hopefully, the information above is both a practical and useful initial step on your journey.