By now, you will no doubt be aware of the forthcoming changes to data protection, effective from 25 May 2018, through the General Data Protection Regulation (GDPR). So important are the changes that the ICO has described them as "the biggest change to data protection law for a generation".
Government has also announced its proposal to enshrine the changes into national law so that there is clarity on the position in a post-Brexit world.
Are you sitting comfortably?
The often repeated headline is the increase in the ICO's power to fine organisations for breaches of GDPR, from the current level of £500,000 to up to €20,000,000 or 4% annual global turnover, whichever is highest.
Whilst this is true, the changes should be viewed as more than just a financial risk for your organisation. Over the past few years, individuals have become increasingly aware of their personal data rights and have welcomed the increased control they will have under GDPR. We have also recently seen numerous high profile and potentially disastrous cyber- attacks putting individuals' – often sensitive – information at risk across a range of sectors, regardless of organisation size. As a result and in an increasingly digital world, around 80% of people think that they do not have adequate control over their data online.
Organisations are quickly realising that security of the personal information they hold and treating it fairly and transparently, could be one of their biggest assets – a thought echoed by the ICO:
"If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit."
Then we'll begin
Many of you have already been in touch with us to discuss how and when you should be preparing for the forthcoming changes and how exactly the changes might affect your organisations. Recent figures show, however, that a significant proportion of SMEs are still behind in getting ready for the changes.
It is not too late, but you do need to take action. This is an opportunity for you to take the following steps towards compliance:
Co-operation
- Talk to your senior decision makers and get their buy-in; GDPR puts data protection at the heart of your organisation. It should have the ear of your most senior decision makers, and should be considered in all aspects of your planning and business strategy.
- Policies and procedures will need to be considered and updated, and training should be rolled out to all staff members on the new legislation.
Consideration
- Now is an ideal time to audit what personal data you hold, why you have it and how long you are keeping it. The overarching principles of data protection law are clear that information should be "adequate, relevant and limited to what is necessary" and held only for the purposes it was originally obtained.
- Consider the processing conditions you rely on to ensure you are using personal data lawfully. If the personal data is sensitive in nature, more stringent conditions will need to be considered. If you rely on consent, you should review how you have obtained that consent to ensure that it meets the new requirements of GDPR, refreshing your consents as necessary before May.
- Will you need to appoint a Data Protection Officer and, if so, who that will be? DPOs will be fundamental to ensuring ongoing compliance with GDPR. We are expecting further guidance from the ICO on this, but current European guidance states that those involved in the public housing sector should consider appointing a DPO as a matter of good practice.
Control
- Do you have adequate measures in place to ensure that data is kept secure and individuals' data rights can be observed? You should consider technical measures relating to your IT systems and software and organisational measures such as protocols, policies and procedures for the handling of data by staff.
- Ensure you have technical and organisational measures in place to detect and react to any data breaches and to mitigate the risks to that data and your reputation. Who within your organisation should receive reports of data breaches and decide what action to take?
- Who are you sharing data with? Are you entitled to do so and if so, do you have appropriate data sharing agreements in place to ensure that the data is kept secure and confidential? Ensure you appropriately vet those who will be processing data on your behalf.
Communication
- Communicate with your customers and key stakeholders. Let individuals know exactly what you are doing with their data, why and for how long. Your organisation needs to be transparent; your privacy notices will require more detail and will need to be reviewed.
- Individuals must also be told about their right to withdraw their consent at any time; their rights to access copies of their own data for free; to rectify inaccurate information; object to things such as direct marketing and, in certain circumstances, to have their personal data deleted or transmitted directly to another organisation.
- Ensure you have plans in place to communicate swiftly and effectively with the ICO whenever necessary.
- Considering these issues will stand you in good stead in working towards compliance and protecting one of your most high profile and valuable assets.
