The devil’s in the data
Despite the UK’s decision to leave the EU, new European wide data protection legislation cannot be ignored.
New European legislation governing data protection, commonly known as the General Data Protection Regulation or GDPR is here. Even with the inevitability of Brexit, the GDPR will set the bar for handling personal data for the foreseeable future.
UK businesses will need to demonstrate data security to GDPR or equivalent standards in order to maintain cross border transactions and data flows.
Here, we explain what this will mean in practice.
GDPR is already in force but businesses are not expected to be compliant until 25 May 2018. Whilst this may seem a long way away, businesses should take steps now to assess current operations against the requirements of the GDPR and put in place systems and controls to ensure compliance.
In many ways the GDPR compliments and adds to the current data protection law, the Data Protection Act (DPA). So if your business already complies with the DPA you are on the right track, but there is more to do.
Do you know what personal data your business holds, the source of this personal data, how long it is retained, how and where it is transferred across your supply chain?
It is fundamental for a business to identify how personal data currently flows across its organisation before it can dive into the detail of the GDPR requirements. For each data flow ask whether your business controls the personal data or do you process personal data on the instructions of a third party?
Whilst the DPA did not impose any obligations directly on a business purely processing personal data on behalf of another organisation, the GDPR does.
Both data controllers and data processors are required to keep accurate records of data processing, so auditing current operations is an essential step to achieving compliance. If your business collects personal data under a privacy notice, the content of that notice will need to be amended. The GDPR now prescribes certain information it must contain.
Businesses must balance the requirement to add this detail against the need for the notice to be transparent and easy to read. Some organisations are turning to video blogs in an attempt to make privacy notices user friendly.
Does your business need a Data Protection Officer (DPO)? Under the GDPR it is mandatory for certain organisations to designate a DPO. These will include public authorities, public bodies and organisations that conduct, as a core activity, large-scale, systematic or regular monitoring of individuals or large-scale processing of sensitive personal data.
Even where an organisation doesn’t fall within these categories, it would be good housekeeping to have an individual nominated to deal with data compliance. Whether or not the individual officially adopts the title of DPO; the key principle underlying the GDPR is accountability and the DPO takes a pivotal role in both evidencing and achieving this.
Guidance recommends that even where an organisation determines it does not need a DPO, its analysis in making this determination is recorded.
Does your business have a Data Protection Policy? Do you have established procedures in place to deal with data compliance or is your business reactive?
Subject Access Requests (SARs): This is not a new concept, but the time period a business has to respond to a request from an individual for information held about them has reduced from 40 days to one month. The ability for an organisation to charge a fee has been removed and the breadth of information that has to be given back to the individual has increased.
Privacy Impact Assessments (PIAs): Again, PIA’s are not new but these assessments are now mandatory for any high risk processing. Training: any individual handling personal data should be trained to understand their responsibilities under the GDPR. Training staff is essential to both evidencing compliance and mitigating the risk of data misuse/loss.
Reacting to an incident: the GDPR introduces mandatory reporting to the ICO, within 72 hours or less, for security breaches (with some exceptions). Businesses controlling personal data should ensure they have procedures in place to deal with any incident within the required timescales.
Do you have contracts in place dealing with the transfer of data to your business or from your business (in any capacity)? If these contracts will be in place after 25 May 2018, they will need to be reviewed. The GDPR prescribes certain information that must be included in the contract to document the data processing being undertaken.
It is also sensible to use this opportunity to impose additional obligations on other parties within your supply chain to assist you in your compliance. Employment contracts should also be considered. This is not an exhaustive list of the GDPR requirements, but demonstrates the direction of travel – accountability is the key!
Investing time, and budget, in these actions now will give your business a sufficient timeframe to implement and embed change. Complacency and inaction risks misuse of personal data and, in consequence, exposure to fines (which are significantly higher than those under the DPA), pay-outs of compensation to affected individuals and reputational damage.