How strong are your business’ data protection policies, systems and processes? 

2018 is now fully in swing and it’s likely that your diary is filling up fast.  However, there is one date that you should have clearly marked in your calendar and that is 25th May 2018.  This is the date that could have a significantly drastic impact on your business if you are not prepared.  Why?  Because it’s the date that the General Data Protection Regulations (GDPR) arrive – the biggest shake up in data protection since the Data Protection Act 1998 (DPA ’98).

The General Data Protection Regulation (GDPR), arriving 25th May 2018.  What exactly is it?

Its arrival aims to create a safer digital environment that focuses on how consumer data is used and protected.  The hope is that this will strengthen data protection for all individuals within the EU and place an emphasis on giving control over personal data back to citizens and residents. However, this brings about important changes for businesses and will create new demands on data handling and in turn will raise the stakes for all businesses.  For instance, there are severe penalties of up to 4% of worldwide turnover or a maximum fine of €20 million, whichever is greater, for any breaches in compliance with the GDPR.  A devastating hit for many business to take.                                                                                       

Now I’m sure many reading this in the UK will think, ‘Hold on, what about Brexit.  Surely this won’t affect me?’.  However, The Great Repeal Act means it’s extremely likely that the GDPR will make its way into UK Law.  In any event, the GDPR will affect all companies that handle personal data of EU Citizens, regardless of whether the organisation is located in the EU or not.  So it commands our attention.

What Will I Need to Do?

So, what do you need to do to ensure that you’re ready and compliant by 25th May?

The GDPR focuses on 7 main areas, the focus points of which are highlighted and discussed below:

  1. Consent – Following the implementation of the GDPR, businesses will not be able to use indecipherable terms and conditions filled with legal jargon to confuse consumers when obtaining consent to obtain and use their personal details. It must be easy and straight forward for individuals to give consent and just as simple to withdraw. In other words, consent must be freely given, specific, informed and unambiguous.  It must be a positive opt-in and consent cannot be inferred from silence, pre-ticked boxes or inactivity.  So, double opt-in is likely to be much more common moving forwards.  Do your current terms and conditions meet this criteria? 

It’s also worth bearing in mind that timing is irrelevant.  Just because you obtained the details prior to the GDPR’s implementation doesn’t matter.  If you have personal data on your list, you must comply with the GDPR. 

However, it’s worth noting that it’s not necessary to rely on consent alone.  In some instances it will be necessary to obtain and share personal data, for example, when it is necessary for the performance of a contract, complying with legal obligations or if it is proportionate processing for a legitimate business interest.

 

  1. Breach Notification – Should your business have a breach in data protection, do your current systems and procedures allow you to report such breach within the required time frame? If you become aware of a breach you have 72 hours to inform the supervisory body e.g. ICO in the UK. Individuals may need to be notified if the breach is of a high risk to them.  So, if you were to suffer a breach on a Friday morning, would you be ready to report it to the ICO first thing on Monday?  It’s vital that you have the right procedures in place to detect, report and investigate a personal data breach.  If you do not, have you planned and budgeted for the necessary alterations?

 

  1. Right to Access – The GDPR intends to enhance and raise awareness of individuals’ rights. So it’s essential that you are aware of what these rights are. Individuals will have the right to access e.g. their information and can request details of all of the information you hold and obtain confirmation from businesses of whether and how their personal data is being processed.  This information must be provided free of charge.  The £10 fee that is currently in place is being scrapped and time limit for dealing with requests is being reduced to 1 month.

 

  1. Request for Information to be Forgotten or Erased – The individual will have the right to request that data is erased or forgotten if it’s no longer relevant to the original purpose. Again, you must conform with this request.

 

  1. Data Portability – Individuals can obtain and reuse their personal data for their own purposes. This is designed to prevent individuals being locked into one product, service or brand. Are you aware of what data you hold?  Is it correct and up to date?  And, can you transfer it electronically as requested by the individual?

 

  1. Privacy by Design – This calls for the inclusion of data protection planning and implementation of appropriate structures to assist with compliance when designing new systems within your business.

 

  1. Data Protection Officers – If you are a larger business (more than 250 employees) that is processing a significant amount of EU Citizens’ personal data then you may need to appoint a Data Protection Officer. This will apply to companies who process or store ‘special’ personal data (such as health information or criminal convictions data), regularly monitor data subjects or are a public authority.

 

This may seem like a lot to implement prior to May.  However, there is a slight reprieve for those businesses that are on the ball with the current DPA ’98, as some of the principles of GDPR are the same as the DPA ‘98.  Therefore, if you are currently following the DPA ‘98 requirements you can use your current systems as a starting point.  That being said, it is a big shake up that is forthcoming and changes will be required and it is likely that you will need to carry out reviews and analysis to ensure compliance with the upcoming regulations and avoid any unwanted penalties.

 

Where to Begin?

If you are feeling a little overwhelmed, perhaps the best place to start is with a data audit of all the current information you hold on your systems.  For example, focus on what personal data you hold, where it is stored, who it has been sent to e.g. other businesses, how it is being processed and what you tell people about how the data itself is being processed e.g. what is it being used for.

Another point to bear in mind is identifying any third party providers you may work with, such as health care providers, pension schemes etc.  Think about whether the third parties that you share your data with are also compliant.

Also, remember to adapt your privacy notices and policies as appropriate and be sure to inform individuals of their data rights, including how and why their data is being processed. 

Although this seems like a significant change, the end game remains the same as it currently is.  To ensure the safety of personal data and the avoidance of any embarrassing mishaps and lost data for businesses.

In Closing…

It’s likely that for many of us the introduction of the GDPR will require us to put in place new systems and processes to ensure compliance.  Although this may appear an unwanted task, it does have some positives. 

This is a great opportunity to initiate contact with your list and begin informed communication explaining how the upcoming changes impact the individual and emphasise why it’s so important that you retain up to date data and what you are doing as a business to ensure that their data is safe in your hands e.g. you are up to speed with cyber safety and security.  This has the potential to lead to you gaining individuals’ trust which can only be a good thing.  It will also ensure the accuracy of their details and thus create a reliable and hopefully, responsive list.  This is also the time to obtain consent, even if you have already done so in the past, in a manner that is compliant with the GDPR.  Make sure you keep a record of such information!

Finally, with a reliable and responsive list that wants to communicate with you, you may find yourself in the position to up-sell and cross-sell and improve your business in the long run!

In closing, I must point out that this is only a brief overview of the GDPR.  It’s quite a detailed regulation and I’d highly recommend investing some time to look into it further for yourself to ensure you have the appropriate systems and procedures in place for 25th May 2018. 

Now is the time to start making your workplace compliant.

For more details visit www.ico.org.uk