Roll forward 12 months and there seems to be lots of people telling us what we can and can’t do because of GDPR. Whilst it’s great that there is now much more awareness of the importance of personal data, in some cases there are confusing messages about what is actually required. Well intentioned misinterpretation could hinder rather than help normal business functions and there remains the concern for those businesses who are still oblivious of the changes (as evidenced by the discussions some of my own students recalled recently).
It would be refreshing if organisations prioritised the security of personal data as a matter of conscience. However, those organisations who do know about GDPR seem to be most concerned about the magnitude of the fines that could be applied for non-compliance (4 million Euros or 20% of turnover). Either way, GDPR serves as a means to an end of improving data security. From the perspective of a legal layman I would suggest that GDPR is rather like any form of legislation; interpretation and case law will determine future actions. Since we await the latter I will try to put the former into what it means for a business.
The first consideration is that any business should already be compliant with the Data Protection Act. If an organisation has existing data protection processes and procedures, then it is necessary to undertake a gap analysis of what already exists and what the increased requirements are for GDPR.
The biggest changes are the requirement for all organisations to report data breaches and the right for individuals to have their data removed (there are a few caveats to this e.g. criminal / heath records). But there are also other aspects which need to be addressed. Here is a 10 point plan;
1) Know what personal data you hold, where it comes from and who you share it with (may need to undertake an information audit).
2) GDPR defines Legal Basis for holding data and you need to be clear on which one best fits your activity.
3) Consider the data that you handle, whether you really need it for what you need to do and how long you need to keep it for.
4) Consider how you secure the data that you hold and whether you need to do more?
5) Ensure that you issue privacy notices telling users why you have their data, how it is used, and whom it is shared with.
6) Ensure that you have explicit consent to the data from those users. Many organisations have done this via an email (which can also include point 5) to users or a button that you can click on when you log in.
7) Keep and maintain a record of data processing activities
8) Make sure that your staff know about data security and GDPR (train them)
9) Know what you will do if you have a data breach (it is highly likely that it will need to be reported to the Information Commissioner within 72 hours).
10) Know how you will deal with data subject access requests (users who want to know what data you have on them - need to provide responses within one month) and that you have a process for correction / deletion if requested.
It may be useful to reflect on the ethos of GDPR; to target those organisations playing “fast and loose” with our data and not those organisations who are genuinely trying their best to secure personal information. It is unlikely that anyone is going to come into your organisation after the 26th of May to check your compliance to GDPR. But if you do suffer from a Data Breach, you will be expected to demonstrate your compliance with GDPR and if you cannot do this may face a heavy fine.
A well implemented GDPR is good for all of us. It gives businesses a chance to take stock of where they are with data protection and to act where weaknesses are identified. It should make us think about our personal data as individuals, who we want to share our data with and how important it is to protect it. Together this is an opportunity to make data more secure and to be able to take full advantage of the digital world without suffering negative consequences.
The ICO guidance 12 steps to GDPR: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Advice from the National Cyber Security Centre (NCSC) Guidance for Small Business: https://www.ncsc.gov.uk/smallbusiness
Not part of GDPR but additional legislation applying to those engaged in electronic marketing. The Privacy and Electronic Communications Regulations (PECR):