Just over a year ago ‘top predictions for 2017’ included a deal of activity as organisations of all shapes and sizes get ready for the implementation of the EU’s General Data Protection Regulation (GDPR). In the year since, there has indeed been a great deal of activity, much of it from commentators worrying abut the lack of progress and quoting statistics from the first half of 2017 to prove their point. Here’s the latest we can find, from CareersinCyberSecurity.co.uk and London law firm Hamlins LLP (July 2017):
- 73% have not allocated any budget for compliance
- 53% are yet to appoint a data protection officer
- 15% believe that Brexit means exemption from the GDPR
- 12% claim that they do not have the existing funds for compliance
- 11% do not consider there to be any risk to their business
Now, we are not experts in GDPR but our close relationship with data means that we have to have a working understanding of what’s involved and how it might impact our business and, just as importantly, the [data analytic] business of our clients. As for the above statistics, well it’s true that we don’t have a formal budget and our data protection officer looks a bit like Robin, but we do know that UK businesses must comply post Brexit, we will fund our reasonable compliance with the regulations (the alternatives look much more expensive) and when we get this right the risks to the business will be totally manageable.
For those of you who want a bit more detail, here’s a very brief summary of the changes coming into force from 25 May 2018 (courtesy of ICAEW):
- Data processors – must now maintain records and are directly liable if responsible for a breach.
- Data controllers – new obligations including a duty to ensure that your contracts with processors comply with the GDPR.
- Accountability principle – you must show how you comply eg. document what you have done and why.
- Privacy impact assessments – must be carried out to assess the risk to individuals’ rights, eg, when using new technology.
- Higher standards for consent.
- Enhanced rights for individuals, including the right to be informed, object and be forgotten as well as rights regarding access, rectification, erasure, restrictions on processing, data portability and automated decision-making.
- Data protection officer – not mandatory for all organisations but an appropriately senior individual must be responsible for GDPR compliance.
- The duty to report a breach quickly will apply to all and failure to report will result in a fine.
- Increase in maximum fines (4% of global annual turnover).
And finally, if you haven’t yet had quite enough, the ICO has a lot of guidance, including this handy 12-step guide on preparing for GDPR. It covers the following areas, with a link to the full guide at the end:
- Awareness – decision makers and key people in your organisation should be aware that the law is changing to the GDPR and the impact this is likely to have.
Information you hold – document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Communicating privacy information – review your current privacy notices and plan for any necessary changes in time for GDPR implementation.
Individuals’ rights – check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests – update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Lawful basis for processing personal data – identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Consent – review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Children – consider if you need to put systems in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity.
- Data breaches – make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data protection by design and data protection impact assessments – familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and implement them in your organisation.
- Data protection officers – designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
- International – if your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
For the full guide: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf