Preparing for the GDPR: Steps to Take Now
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Information Commissioner Elizabeth Denham describes the implications as “the biggest change to data protection law for a generation”. The British government will adopt the regulation while the country remains in the EU and mirror it once it leaves. The new Data Protection Bill that will bring the regulations into UK law once passes through Parliament. The proposals for the UK Data Protection Bill are broadly similar to those in the EU regulations, although the government will exercise its right to make some minor amendments.
The maximum fines will differ due to currency, and citizens will have the right to request social media platforms to delete information held about them at the age of 18. The UK can also give permission to some additional bodies to process personal data on criminal convictions and offences. In general, the regulations enforce complex data obligations for companies that current policies are unlikely to satisfy and include damaging fines for breaches, but research suggests that many businesses remain entirely unprepared. Technology advisory firm Gartner predicts that by the end of 2018, more than half of them still won’t be fully compliant with the requirements.
“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance,” warned Denham.
“But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.”
The ICO (Information Commissioner’s Office) also used the day to launch an updated data protection toolkit for SMEs and its Information Rights Strategic Plan, and to relaunch its 12 steps to take to prepare for GDPR guidance.
What is the GDPR?
The GDPR was adopted by the European Parliament in April 2016 following four painstaking years of deliberation. The provisions reinforce data protection in line with contemporary concerns about personal information, and applies to both EU member states and to organisations outside the union when processing the data of citizens within it.
“The GDPR introduces obligations for data controllers and processors in several areas,” minister of state for digital and culture Matt Hancock told the House of Lords EU Home Affairs Sub-Committee on 1 February. “It strengthens the rules for obtaining consent. It strengthens the need for breach notifications and it emphasizes self-assessment in the management of data. We have said that the UK is going to implement GDPR in full, and there’s two reasons for that.
“The first is because we think that thanks to some significant negotiating successes during its development we think that it is a good piece of legislation in and of itself. That’s the first thing.
“And the second is we are keen to secure the unhindered flow of data between the UK and the EU post-Brexit, and we think that signing up to the GDPR data protection rules is an important part of helping to deliver that. Regulations have been harmonised to ease compliance, with one set of laws applying across all 28 member states. The clarity comes with severe penalties for violations. Breaches could result in a fine of up to €20 million (£17 million) or four percent of worldwide revenue, whichever is higher.
In a nutshell, you cannot afford complacency with these regulations. That’s why we have put together these steps that will help your business prepare for GDPR.
Your trustee board and senior staff should be aware that the law is changing. They need to know enough to make good decisions about what you need to do to implement GDPR. One of the reasons that GDPR is being brought in is to make businesses accountable for breaches and loss of data. This means that you need to not only put in place security to features, but also take the time to understand how hackers operate. Whether you’re a director in the business or the manager of the IT department, it’s up to you to lead from the front and have a full understanding of the risks.
Work with an Experienced Cybersecurity Firm
If you don’t currently understand the rules regarding the incoming legalization, then it’s vital that you start to work with a business or expert that does. Choose an experienced and knowledgeable cybersecurity firm with extensive GDPR services. They will be able to review your current system to establish how prepared you are for GDPR. You will also be able to rely on their help to implement the new elements of the system.
Identify what data you hold and where that data came from
If you don’t know what personal data you hold and where it came from you will need to organise an audit of your different systems and departments to find out. This means all personal data including employees and volunteers, service users, members, donors and supporters and more. You should document your findings as GDPR means you must keep records of your processing activities. You should also record if you share data with any third parties.
Know how you will deal with ‘subject access requests’
Individuals have the right to know what data you hold on them, why the data is being processed and whether it will be given to any third party. They have the right to be given this information in a permanent form (hard copy). This is known as a subject access request. Your organisation needs to be able to identify a subject access request, find all the relevant data and comply within one month of receipt of the request.
Build in extra protection for children
Many charities support children and young people and GDPR brings in special protection for children’s personal data. GDPR says children under 16 cannot give consent (although this may be reduced to 13 in the UK) so you may have to seek consent from a parent or guardian. You will need to be able to verify that person giving consent on behalf of a child is allowed to do so and any privacy statements will need to be written in language that children can understand.
Get ready to detect, report and investigate personal data breaches
A data breach is a breach of security leading to ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. You will need to have the right procedures in place to detect, investigate and report a personal data breach. GDPR introduces a duty to report certain types of data breaches to the ICO and in some cases to the individuals concerned. You need to be able to demonstrate that you have appropriate technical and organisational measures in place to protect against a data breach.
Be Prepared for Assessments
This legislation is being taken very seriously and it is likely that you will face assessments to ensure that your policies have come into line with the rules. Don’t assume that you will be able to claim innocence through ignorance of the rules – fixed penalties will be applied to companies that do not comply. It’s a much better idea to get your GDPR policy sorted as soon as possible so that the whole business is used to it by the time the regulations come into force.
Applying these steps to your business will do so much more than just prepare you for legal changes. The whole point of the GDPR policy is to keep companies better protected and able to deal with breaches in security. Putting into place the right strategies and systems can keep your business secure for years to come.