GDPR (General Data Protection Regulation) is the modern iteration of our current Data Protection Act. It has been implemented to ensure your data is handled in a way that suits the fast-moving pace of technology. First of all, do we need it? Well, in short, yes. Data, put simply, is facts and statistics about a given subject collected together for analysis. But when the term data begins to encompass your personal, biological and genetic information, things start to become clearer as to why GDPR is required. Technology that can read your iris or fingerprints is now commonplace and the way this data is collated and stored is often overlooked. GDPR will give you more say with what companies can do with your data and also increase the security of where it is stored.
But what is it?
GDPR is a regulation that has been legislated to give a clearer approach to data security. It applies to any controller (an organisation that collects data) any processor (an organisation that processes data on behalf of any controller) or the data subject (any person based in the EU). It is a single set of rules that apply to all EU member states and it comes into effect on 25th May 2018.
It seems like another Y2K!
Well, it isn’t. It will give you the chance to implement a positive digital transformation. Essentially ensuring best practises are no longer best practises but become standard practises. Security will be ensured by design and will be default such as having a firewall, antivirus or encryption surrounding personal data. It will also require a review of your business processes, employees can’t just jot down customer details on a notepad and leave them. A process will need to be put in place to help employees understand how this can be classified as personal data, and also how organisations collect and process their employee’s data.
Will there be a lot of work required?
Well, there will be some, but this is where technology can help you. A data audit and an assessment of what your current practises are would be the ideal first step. This would give you a clear understanding of where you are not compliant and what you can do to fix it. Whether that be the addition of encryption or employee training sessions. Each business will require a tailored solution that needs to be adaptable enough to evolve with the changing regulatory landscape.
With the security aspects dealt with, organisations can focus on the rights individuals have as part of GDPR, such as the right to be forgotten. Could you ever be certain that you have managed to remove every single piece of information about an individual? Technology steps in again, providing you with the ability to audit your infrastructure and identifying where the data is held without any manual processing will be a huge cost benefit. Not only in the reduction of processing time but the guarantee it offers in knowing you have conformed fully to any request.
But what about Brexit, once I make all these changes, won’t I have to undo them?
Not exactly. As part of the process of withdrawal from the EU all EU laws will be copied into UK legislation. Currently, EU law takes precedence, copying the legislation across ensures a smoother transition. The UK parliament can then amend, repeal and improve the laws as necessary. At present it does seem to aid negotiations with the EU, continuity of EU rules and regulations will be a priority. And with GDPR applying to any EU citizen, regardless of where the data is collected or processed, it is likely GDPR is here to stay.
Consider appointing a Data Protection Officer (DPO) or adding this responsibility to an existing role. A DPO is not mandatory in all scenarios but the advice is to assume you do need a DPO unless you can prove you do not. You don't need a DPO if you do not monitor data subjects or process special category personal information.
Plan to complete a full Data Audit. A great first step on your GDPR journey is to understand what data you hold, whether electronic or hard copy. Not only knowing where your data is but whether you possess personal data and whether you are a controller or processor of data, will help you further understand your obligations as part of GDPR.
Within the above, consider the clear legal purpose for holding personal data and plan accordingly for retention or deletion. Create a retention policy that is in alignment with the necessity to retain personal data.
Develop a Security Policy. Having a policy that defines standards will conform to GDPR and ensure continued security. This should define various areas such as patch management for servers or the decommissioning of devices that hold personal data including the correct data removal methods.
Consider training on Subject Access Requests (SAR). When an individual wants to see a copy of the information an organisation holds about them you will be required to list the personal data, the reason it is being processed and whether it will be given to any other organisation or people.
Plan for a data breach. Plan for the worst, hope for the best. Knowing who needs to be notified and understanding what constitutes a breach will ensure you notify without an undue delay.
Issue a Personnel Advisory Notice to state your GDPR plan and position. The success of any change relies on how well it is communicated. With the complexities of GDPR giving clear and simple advice will greatly improve your overall position.
Overall I feel GDPR will enhance customer-employee relationships and provide a much more secure environment for your data. Knowing that company devices that contain your data are encrypted and that at any point you have the right to be forgotten will likely result in you being more likely to provide data to organisations you work with.
If you have any queries about how GDPR might affect your business, or for advice on some of the solutions available – feel free to contact us either by phone: 0113 387 1070 or via email: [email protected]