The General Data Protection Regulation (GDPR) comes into force on 25 May. If you hold any information on file about people, this new law affects you and you should be preparing for it now.
What’s different to the current Data Protection Act?
Not a lot will change; it’s still about keeping people’s personal information safe. The way you act with regard to people’s data must still be lawful, fair and transparent – and you must have a clear purpose for handling their information.
If you comply with data protection rules now, much of your work is probably already in place. The GDPR places greater emphasis on the documentation that you (as the Data Controller) must keep to demonstrate your accountability, so you need to have effective policies and procedures in place before May. These must be written in plain English.
Make sure everyone in your organisation knows that the law is changing and this will impact on some areas of work, such as filing, storing information on line and contacting people by email. Brexit won’t make a difference – we all have to comply or face horrendous fines.
10 steps you can take right away
- Know what information you hold
Document what personal data you hold, where it came from and who you share it with.
Maintain clear records of your processing activities.
- Be aware of people’s rights
Check your procedures to make sure they cover people’s rights, including how you would delete their personal data or provide data electronically and in a ‘commonly used format.’ People have many rights, including to be informed, access their information free-of-charge, have it deleted and not to be subject to automated decision-making, including profiling.
- Communicate privacy information
Review your privacy notices and make any necessary changes. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a ‘privacy notice.’ You must now also tell people your ‘lawful basis’ for processing the data, how long you plan to keep their information and that they have a right to complain to the Information Commissioner’s Office (ICO) if they think there is a problem with the way you are handling their data. The GDPR requires this information to be provided in concise, easy to understand and clear language – in other words, in plain English! If you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation so it can correct its own records.
- State your lawful basis for processing personal data
Why do you keep people’s information? Identify the lawful basis for why you’re processing people’s data, document it and update your privacy notice to explain it. Some people’s rights will be modified depending on your lawful basis for processing their personal data; the most obvious example is that people will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.
- Gain consent
Review how you seek, record and manage consent. (The ICO has published detailed guidance on consent and offers a checklist to review your practices.) Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in; consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you must have simple ways for people to withdraw their consent. Consent has to be verifiable and people generally have more rights where you rely on consent to process their data. In these cases, make sure it meets the GDPR standard on being specific, clear, prominent, opt-in, properly documented and easily withdrawn.
- Handle subject access requests
Update your procedures on how to handle requests to provide any additional information. Under the new rules, you will have a month to comply, rather than the current 40 days, and you can refuse or charge for requests that are ‘manifestly unfounded’ or excessive. If you refuse a request, you must tell the person why, and let them know that they have the right to complain to the supervisory authority and to a legal remedy.
- Deal with data breaches
Make sure you have the right procedures in place to detect, report and investigate a personal data breach. You may need to notify the ICO (and possibly some other bodies) if you suffer a personal data breach that is likely to result in anyone being at risk of discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. You will also have to notify the people affected.
- Protect children
GDPR introduces special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. If relevant to your business, put systems in place to verify people’s ages and to obtain parental or guardian consent for any data processing activity. Children can give their own consent to processing at age 16 (although this may be lowered to 13 in the UK). If a child is younger, you will need to get consent from a person holding ‘parental responsibility’.
- Name your Data Protection Officer
Designate someone to take responsibility for data protection compliance, if you don’t already have someone in this role. Look into the ICO’s code of practice on Privacy Impact Assessments to see whether this relates to your business.
- International? Know which rules apply
If your business operates in more than one EU member state, find out which will be your lead data protection supervisory authority and make sure you apply the relevant rules.
Hopefully, these notes will give you a head start on tidying up your systems in anticipation of the forthcoming changes. This info is adapted from the GDPR section of the Information Commissioner’s Office website where there’s loads more useful advice and guidance to set you straight.
Feel free to get in touch if you’d like help to edit your privacy statement or any other documents into plain English.