The GDPR countdown has begun; It’s just five months until the General Data Protection Regulation (GDPR) comes into effect in May 2018. We’ve talked before in this blog about the steps which your organisation should take to be ready for this new data protection regime. But we thought it was worth refreshing your memory as to what’s involved – and how you need to update your data protection systems.
Data protection: the basics
While the GDPR countdown clock is ticking and regulations are changing, there is some continuity. Critically, the Information Commissioner’s Office (ICO) will remain the UK’s data protection authority. They’ve produced a Guide to the GDPR, which includes specific checklists for data controllers and data processors. They have also published a document detailing ‘12 steps to take now’ to be ready for GDPR.
Most organisations need to get back to basics. You must ensure that all personal data you collect actually needs to be ‘processed’ for your business operations. ‘Processing’ here means collecting, recording, storing and sharing personal data. You must identify the lawful basis for your processing activity, and maintain records of any such activity.
GDPR personal data: enhanced rights need enhanced systems
The GDPR enhances data protection rights, and increases requirements for organisations to take care of data. For many organisations which comply with the current law, this is a key area where they need to tighten procedures. You’ll need a subject access system to provide data electronically and in a commonly used format on request (the right to access). And you’ll need a system to prove you have deleted personal data (the right to erasure).
The overall theme for GDPR is that data protection needs to be transparent. The GDPR updates rights for a networked world, so it’s vital to keep records of who you share personal data with too. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell them about the inaccuracy so they can correct their own records.
Explicit consent for data processing
When you collect personal data, you currently have to give people certain information in a privacy notice. The GDPR requires additional information in this notice, including specifying your lawful basis for processing data and your data retention periods. You should review your privacy notices and plan to make any necessary changes in concise, easy-to-understand and clear language.
You should also review how you seek, record and manage consent and whether you need to make any changes. Under the new GDPR standard, consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in, so that consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
For the first time, the GDPR brings in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. The crucial element is obtaining parental or guardian consent for any data processing activity. For some organisations, you’ll need systems in place to verify individuals’ ages, to avoid holding children’s personal data inadvertently or without requisite parental consent.
Reporting data breaches becomes ever more important
One vital element is having procedures in place to detect, report and investigate a personal data breach. The GDPR introduces a duty on all organisations to report certain breaches to the ICO. In some cases, you’ll also need to report directly to the individuals affected, if a breach could result in significant economic or social disadvantage such as discrimination, damage to reputation or financial loss. Not only do organisations face fines for the breach itself, but there are also fines for failure to report a breach when required to do so.
And don’t forget a system of training about data protection
You should designate someone to take responsibility for data protection compliance. For many organisations, this will mean formally appointing a Data Protection Officer; indeed, this is a requirement for such organisations as public authorities. But from key decision makers to customer-facing staff, it’s vital that everyone is aware that GDPR is coming. So you should implement a training system so that everyone understands the impact GDPR will have on their day-to-day operations.
GDPR Countdown: CAS is here to help you meet your data protection requirements
When GDPR takes effect, we’ll be maintaining the excellent standards which we have under current data protection legislation. We’ll keep your data safe and secure if you use our document storage or scan-on-demand services. And our office removal and data disposal services maintain data protection as a key consideration.
Contact one of the CAS team now to discuss how we can help you during, and after, the GDPR countdown.
About CAS GDPR compliant document storage and management
The GDPR countdown has begun, are you ready? CAS provides comprehensive and secure document storage and management, scan on demand, and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control in keeping your files safe and well managed.