So, what is GDPR all about? Simply put it is the updated version of data protection regulations that should be applied to the use of personal information. The difficulty is that there are approximately 120 differences between the Data Protection Act 1998 and the regulation authorised by the Data Protection Act 2018. The following are some of the basic points to understand to move forward and become compliant.
How do I start to understand GDPR?
You have to be aware of what your obligations are, as an organisation. If you didn’t know, there are 15 things that need to be covered, 7 “Principles” and 8 “Rights”. It is probably simplest to show it pictorially.
The Principles of GDPR
These principles are what the organisation has to cover in its internal documentation to ensure that it does not break the rules. Adherence to GDPR does not have to be overbearing to an SME as policies and procedures should be appropriate to the risks involved.
These elements are basically the same as the prior Act, but are now to be understood as a framework and be utilised with alongside other legislation, e.g. the Equality Act 2010, the PECR 2003, etc.
Interestingly (at least for data protection geeks like me) Accountability was added to the list of “Principles” in Q4 2018/Q1 2019 alongside the introduction of personal fines to directors. Accountability has always been part of the 2018 act, however, the ICO have taken the decision to add it as a principle.
The Rights of Individuals
The rights of individuals are effectively how the principles, shown above, protect individuals and the requests they can make to an organisation about their data. Some of the requests have stringent response times so make sure you are aware of what they are.
So, What Should I do First?
What needs to happen in an organisation is to make sure they are acting appropriately in relation to the new data protection regulations? This list below should help.
Make sure that each person in your organisation is aware of their responsibilities – ideally from the top down.
What information do you hold and do you have to take additional security measures to store it? How easily can you amend, erase, or destroy it?
Review privacy notices, terms and conditions and identify what is marketing and what is not for your organisation.
Understand whether you need to change anything to protect the rights individuals should expect to safeguard their data.
Subject Access Requests.
Make sure you have an identified process to obtain any personal information held by you (potentially including images and recordings) in the timeframe allowed, currently one month.
Legal Basis for Processing Data.
Understand why, from a regulatory perspective, you need to process personal data, e.g. as the result of a contract (verbal or otherwise), as a legal requirement (like schools do), or any of the other four bases. Remember that your relationship with a customer may require more than one basis.
Understand why consent does not work for every process and is recommended for many others.
Data held relating to children.
Understand the sensitivity required to collate any data to be processed in relation to children. Ensure that you, as an organisation, take appropriate measures to safeguard this data.
Make sure that you have a process to report data beaches to the regulator, where necessary, know who is responsible for what and how long you have to act once a data breach is identified.
Data Protection by Design and the Data Protection Impact Assessment.
These are principles that can loosely be determined by utilising common sense. Things like; I will not leave a confidential file in a café – and – this project will require specialist support because of the requirement to provide counselling to individuals. Assessing whether you view is right can be ascertained by completing a Data Protection Impact Assessment
Data Protection Roles.
There are three roles in the current data protection regulation. The Data Controller and Data Processor are compulsory to identify (it is obvious they would be the same person in the smallest organisations) and if you meet the appropriate criteria you will need a Data Protection Officer.
Impacts of international trade.
Understand where international trade impacts your data protection obligations and inform customers of what you have done to protect them. This could be as simple as providing a revised set of terms and conditions.
How to put all of this theory into practice is to revise the appropriate internal documentation you have (your policies and procedures). Currently (Q1 2019) the Information Commissioners Office (ICO), who are the regulator, want SME’s to show willingness to be educated and make changes appropriate to the risk in their own operations. If you are a B2B organisation you will most probably have a lower inherent risk. If you are a B2C organisation dealing with sensitive, or classified, information you will most probably have a high – or even the highest – inherent risk.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through firstname.lastname@example.org , or visit
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.