In our fourth blog post on the new General Data Protection Regulation, we focus on GDPR Code of Conduct. From May 2018, the General Data Protection Regulation (GDPR) will change the law surrounding data protection. In the past few weeks we’ve looked at how the GDPR defines personal data, how individuals’ rights to consent will change, and how organisations must be accountable for data protection. This week we look at codes of conduct and accreditation schemes. And specifically, how they may be able to help prove that your organisation takes data protection responsibilities seriously.
GDPR code of conduct, will your sector have one?
GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that organisations comply with data protection. If an approved code of conduct or certification scheme that covers your processing activity becomes available, you may wish to work towards it as a way of demonstrating that you comply. Signing up to a GDPR code of conduct or certification won’t be obligatory. Furthermore, it is itself no substitute for having excellent internal policies and procedures. But working towards meeting the code could be a good way to meet accountability requirements. And it can enhance transparency, enabling individuals to distinguish those organisations that they can trust with their personal data.
Governments and regulators can encourage the drawing up of codes of conduct. The UK’s data protection authority, the Information Commissioner’s Office (ICO), will be issuing guidance on this area of the new data protection regime in coming months. But ultimately, codes of conduct will be created by trade associations or representative bodies, in consultation with relevant stakeholders, and will cover a wide range of data protection topics. Meanwhile, certification will come from supervisory authorities (such as the ICO) or accredited certification bodies (the International Organisation for Standardisation, ISO, for instance).
It’s worth bearing in mind that there are steep penalties for failing in your data protection responsibilities, or infringing any code of practice you sign up to. You risk being subject to a fine of up to 10 million Euros (£8,550,000) or 2 per cent of your global turnover. We’ll be looking in a future blog at ways in which you can minimise the risks around notifying breaches of data protection.
CAS will remain at the forefront of data protection accreditation
When contracting work to third parties, it’s worth checking whether they have signed up to codes of conduct or certification mechanisms. This is somewhere that CAS already excels, and we will continue to do so in the wake of the introduction of the new regulations. Depending on the service which CAS provides you with, we may take different roles within your data protection procedures. For instance, CAS acts as a data ‘processor’ for you with our CAS-Cloud service, where we scan documents and upload scanned files to client-managed data banks. The conditions for processing and legal basis for scanning are defined by the client’s own obligations around data retention, and are covered in the contracts which we sign with our clients.
Whatever role we take, rest assured that CAS will remain a market leader in accreditation. We’ll make sure to add to our existing suite of ISO accreditations as new ones become available. If you use any of our document handling, data storage or disposal services, you’ll always get the highest quality service.
CAS will always do everything it can to protection your clients’, customers’, service users’ and employees’ data after the introduction of the GDPR. We will always follow the GDPR Code of Conduct for our sector. Whichever of our services you choose, your data and documents are always safe and secure with us. Call one of the CAS team now if you’ve got any questions about any of our services.
For a free, no-obligation quote for 'digitising data' please contact our specialist team
About Clarks CAS
CAS provides comprehensive and secure document digitisation, information storage and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control in keeping your files safe and well managed.