Why couldn’t things stay the same?
To put things very bluntly, the prior data protection legislation had numerous holes that had to be filled to stop (or at least try to stop) those less scrupulous exploiting the data of individuals. To try and explain this simply, the biggest change that the new legislation brings should be a change in attitude.
At the heart of GDPR is a concept called Data Protection by Design, or DPD for short. To exaggerate the change in attitude required, the principle that should now be employed is to put the security of data before profit.
GDPR is no longer new, but so many still do not know what to do to become compliant. This series of blogs are designed to help you understand what you have to do to be compliant and what you should do.
The ICO has already issued a press release quoting a desire to obtain compliance through education and encouragement rather than frequent visits and fines to organisations.
What do I have to change for GDPR?
If you are an organisation that collects personal data and uses it in your processing then you have to either:
- Register a Data Controller with the ICO.
- Register with the ICO as an organisation that should be considered exempt.
Failure to do this could result in fines ranging from £400. to £4,350.00. The ICO issued its first set of fines on this very subject in November 2018 as organisations that were registered prior to 25th May 2018 were no longer found on the register after. Following a series of communications from the ICO to those organisations, the ones that did not register, in some way, were issued with a fine.
If you believe that your organisation already acts “carefully and responsibly” with the personal data of an individual, you do not have to do anything else. Having said this, “carefully and responsibly” means more following 25th May 2018, so be careful about this.
The guidelines from the ICO are that every organisation should have some very basic framework that provides information on what personal data they keep, why it is used, how long it is stored and how it is destroyed. This can be completed in a few basic documents:
- A data policy. (including a data breach process with data breach reporting guidelines and report)
- A marketing policy.
- An information security policy.
- Appropriate Terms & Conditions.
- Updated HR policies (if appropriate).
Obviously the more complex your organisation is, or the more complex you process is, the more work this will become.
I’m registered, can’t I just stay as I am?
Yes, you can. But you run the risk of having the ICO impose penalties on you if someone complains about you and the complaint is upheld.
Penalties are not always financial, there is something called a “Enforcement Notice” that is often used prior to a financial penalty being issued. This will mean that the ICO will advise you of the type of changes that need to take place in your organisation and they will come back in an agreed period to ensure that the changes have been made.
If no changes have been made, or even if the rate of change is too slow, the ICO can issue a fine and continue with the “Enforcement Notice” by extending its validity (as they have done in the past).
At the end of the day, it is up to each organisation to propose what is appropriate for them and to have any associated decisions evidenced in the form of policy, or board meeting minutes. One final word of warning, before you decide to do nothing. In late 2018/early 2019, the ICO introduced financial penalties of up to £500,000.00 for company directors that had not made any effort to comply with GDPR. So, directors who deliberately choose to do nothing, e.g. not even making the smallest changes, are not showing the right attitude and they run the highest risk of having a financial penalty imposed on them.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through firstname.lastname@example.org , or visit
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.