13 July 2017
We wrote in a previous blog about GDPR and how it effects every business in the UK, as well as any global company holding data on businesses in the EU. There are a lot of people concerned about the General Data Protection Regulations (GDPR) regarding what it means and what you must do to be covered. A lot of these are companies trying to sell solutions that are either directly or loosely related and care must be taken to not buy something that isn’t actually required.
The suggestion here is to start with the Information Commissioner’s Office, the ICO, as they are providing a lot of independent advice and are the people dishing out fines. Their document “Preparing for the General Data Protection Regulation (GDPR) - 12 steps to take now” gives a good overview providing an understanding of the areas covered and what needs addressing. To help you to get the ball rolling, this blog is a short summary of those points.
All of the information we provide is to our best understanding at the time of writing, however this blog does not offer legal advice. If you require advice on your specific business we recommend that you seek independent legal advice.
It is important that key people in your orgainsation are aware of GDPR and the direct implications to the business. Due to the significant implications to your organisation, GDPR may effect systems, procedures and resources. The sooner this is managed by your company the easier it will be to be compliant.
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas.
A key element to GDPR, as it was in the DPA, is transparency and providing accessible information about how you will use personal data. The most common practice is to provide a privacy notice, for which the requirement under GDPR is extended over the DPA.
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
You will be required to respond to requests about the data that you hold within 1 month, such as what data and why you are holding it. You are not generally allowed to charge for access requests, however there are exceptions for requesting pay or refusing in extreme circumstances. If you have automatic processing of data, such as ratings, credit checks, etc, there is a separate set of rules.
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. Unlike the DPA, there must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must not be a mandatory part of the provision of products or services; for times when data collection must be taken as mandatory (such as for credit checks) then alternative lawful basis must be in place.
You should start considering putting systems in place to verify individual’s ages, as children’s personal data may require consent from a guardian for anyone under 16 ( this may be lowered to 13 in the UK).
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
The GDPR makes privacy by design approach an express legal requirement. In some circumstances it is mandatory to carry out a Privacy Impact Assessment (PIA), now referred to as ‘Data Protection Impact Assessments’ or DPIAs.
Organisations such as public authorities are required to appoint a DPO. However, irrespective of whether you are required to have a DPO, you are advised to designate individuals to take responsibility for the data protection compliance in your organisation.
If you process data across a number of EU member states, you are advised to follow the authority of the data protection supervisory authority in the country that you complete the most significant decisions about processing activities.
In our next GDPR blog we will be looking at providing more information on addressing the legislation from a practical point of view. We will also look at how both the Microsoft offerings and our own solutions will help with addressing those points, which will hopefully give an idea of what you need to do with your own systems. If you would like to stay up to date with our news please sign up below.