The new General Data Protection Regulation (GDPR) will come into force in 10 months. Are you ready?
What is it?
In a nutshell it’s the rules governing the processing and control of personal data. Broadly speaking this includes the storage, use and transfer of information relating to a living individual who can be identified. The Information Commissioners Office (ICO) has produced a quick guide
Rules setting out the limits on the use of personal data by organisations has been around for many years, the latest UK iteration being the Data Protection Act 1998 (DPA).
The GDPR is an EU legal instrument, but the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR on 25th May 2018. So there is no point in waiting to see what Brexit deal is promoted over the coming months. It’s time to bite the bullet to ensure that you comply.
The GDPR is similar in many ways to the DPA. If you are complying properly with the current rules then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. But there are some significant new and different requirements that organisations need to get to grips with.
If you use personal data to fundraise then you need to follow the latest guidance on fundraising and data protection.The Fundraising Regulator provides guidance which complements guidance from the ICO on direct marketing.
What are the key things to look out for?
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
The GDPR contains new provisions intended to enhance the protection of children’s personal data.
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. For example, organisations will have an obligation to erase data when customers ask to exercise their ‘right to be forgotten’.
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. The ICO has produced guidance on privacy.
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.The ICO has produced guidance on the rights of individuals.
Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. The ICO has drafted more detailed guidance on dealing with access requests.
Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. The ICO has written more detailed guidance on what is a lawful basis.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. Information on what form the consent could take has been drafted by the ICO.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. GDPR says children under 16 cannot give consent (although this may be reduced to 13 in the UK).
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. The ICO has provided an overview of the process.
Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments and work out how and when to implement them in your organisation. The ICO has provided advice on how to do this.
Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer. the ICO has provided guidance on accountability and governance.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority.