The GDPR clock is ticking. The General Data Protection Regulation (GDPR) comes into British law on the 25 May 2018. Here's a quick refresh on what you need to do to get systems ready for the new legislation.
GDPR countdown, the basics of data protection
GDPR will bring some changes, but there is also continuity. Most importantly, the Information Commissioner’s Office (ICO) will remain the UK’s data protection authority. Their Guide to the GDPR, includes checklists for data controllers and data processors. They have also published a document detailing ‘12 steps to take now’ to be ready for GDPR.
You must ensure that all personal data you collect needs to be ‘processed’ for your business operations. ‘Processing’ here means collecting, recording, storing and sharing personal data. You must identify the lawful basis for your processing activity, and maintain records of any such activity.
Enhanced rights need enhanced systems
GDPR enhances data protection rights and increases requirements for organisations to take care of data. For many organisations which comply with the current law, this is a key area where they need to tighten procedures. You’ll need a subject access system to provide data electronically and in a commonly used format on request (the right to access). And you’ll need a system to prove you have deleted personal data (the right to erasure).
The overall theme for GDPR is that data protection needs to be transparent. The GDPR updates rights for a networked world, so it’s vital to keep records of who you share personal data with too. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell them about the inaccuracy so they can correct their own records.
Consent for data processing
When you collect personal data, you currently have to give people certain information in a privacy notice. The GDPR requires additional information in this notice, including specifying your lawful basis for processing data and your data retention periods. You should review your privacy notices and plan to make any necessary changes in concise, easy-to-understand and unambiguous language.
You should also review how you seek, record and manage consent and whether you need to make any changes. Under the new GDPR standard, permission must be freely given, specific, informed and unambiguous. There must be an affirmative opt-in, so that consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
For the first time, the GDPR brings in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. The crucial element is obtaining parental or guardian consent for any data processing activity. For some organisations, you’ll need systems in place to verify individuals’ ages, to avoid holding children’s data inadvertently or without requisite parental consent.
You must report data breaches
One vital element is having procedures in place to detect, report and investigate a personal data breach. The GDPR introduces a duty on all organisations to report certain violations to the ICO. In some cases, you’ll also need to communicate directly to the individuals affected, if a breach could result in significant economic or social disadvantage such as discrimination, damage to reputation or financial loss. Not only do organisations face fines for the breach itself, but there are also fines for failure to report a breach when required to do so.
Make sure you have a robust system of training about data protection
You should designate someone to take responsibility for data protection compliance. For many organisations, this will mean formally appointing a Data Protection Officer; indeed, this is a requirement for such organisations as public authorities. But from key decision makers to customer-facing staff, it’s vital that everyone is aware that GDPR is coming. So you should implement a training system so that everyone understands the impact GDPR will have on their day-to-day operations.
CAS is here to help you meet your GDPR data protection requirements
When GDPR takes effect, we’ll be maintaining the excellent standards which we have under current data protection legislation. We’ll keep your data safe and secure if you use our document storage or scan-on-demand services. And our office removal and data disposal services maintain data protection as a key consideration.
Contact one of the CAS team now to discuss how we can help you during, and after, the GDPR countdown.
About CAS GDPR compliance
The GDPR countdown has begun, are you ready? CAS provides comprehensive and secure document storage and management, scan on demand, and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems for security, confidentiality and quality control in keeping your files safe and well managed.