Discussion about GDPR is currently everywhere, in numerous industry press releases, in newspapers, even at networking lunches! It seems you can hardly move for someone being concerned about GDPR.
And it is right to think about and take action now in readiness for GDPR, with a little over 4 months to go.
There is time to get this right. This is an evolution, not a revolution.
If you are currently complying with the Data Protection Act 1998, then you will not be far wrong. The Information Commissioners Office (ICO) has confirmed that they will not be swooping in on companies on 28th May and imposing big fines for small breaches.In fact, the ICO have confirmed that they wish to remain a pragmatic and proportionate regulator.
GDPR is widely said to be an evolution, not a revolution. It is designed to suit the world we find ourselves in now, 20 years ago not many people would think of their location data, biometric data or online identifier as being personal data. The advances in technology have changed the world and how we, as individuals, act within it. GDPR is designed to be technologically neutral, so it doesn’t matter if the data is held on or processed using a lever arch file full of records, an excel spreadsheet saved on a USB stick, an app on a Smartphone or some kind of implant chip of the future!
The definition of personal data has evolved to include such items as location data, genetic data, online identifiers and social identity. What was currently known as ‘sensitive personal data’ has evolved into ‘special category personal data’. This still includes racial or ethnic origin, political options, religious beliefs and trade union membership as it did before. Some aspects have evolved, such as ‘other beliefs of a similar nature’ (to religious beliefs) has evolved to ‘philosophical beliefs’, ‘physical or mental health condition’ has become ‘data concerning health’, and ‘sexual life’ has evolved to ‘data concerning a natural persons sex life or sexual orientation’. There are some new aspects, such as ‘processing genetic data or biometric data for the purpose of uniquely identifying a natural person’.
There are some big changes within GDPR. The most talked about initially was the level of fines. Currently, the maximum fine is £500,000. GDPR increases this to 4% of global annual turnover or 20,000,000 euros (whichever is the higher) for the worst breaches. It is a significant increase, demonstrating both the significance of some breaches and the desire to be proportional, as £500,000 for some organisations may represent a risk worth taking.
Other big changes include:
- Reporting breaches: Under GDPR organisations must report breaches to both the ICO (in the UK) and the individuals affected within 72 hours. This is significant as it can make a big difference for individuals being able to protect their data. You may have seen in the press the reaction of the ICO to the revelation of the Uber breach for which it did not inform either the Regulator or individuals for a year. In the words of the Information Commissioner, Elizabeth Denham: ‘Tell it all, tell it fast, tell the truth.’
- Subject access requests: currently any individual may make a subject access request, to which the organisation has 40 days to respond and can request a fee, up to £10. Often the fee is used to stop the clock on the 40 days. Under GDPR, responses must, in general, be free of charge. The time limit is also reduced to one month.
- Pseudonymisation: Under the Data Protection Act 1998 personal data is either identified or anonymised. GDPR adds a new stage of pseudonymised data. This can help with analysing medical data for trends, without them being fully identifiable but including some elements of personal data which make the analysis more meaningful.
- Children’s data: children have enhanced rights in respect of deletion of data and consent. The relevant age of consent can be set by the individual country, within parameters. This is currently being debated by the House of Lords for the Data Protection Bill.
It’s All About Transparency
The real key to GDPR, though, is the change in the wording of the First Principle. Joining the concepts of lawfulness and fairness, in the concept of transparency. The other Principles remain very similar, with accountability being expanded. Transparency is the key. What the GDPR is trying to achieve, through the Principles, the Individual Rights and the requirements upon organisations, is transparency. Ensuring individuals understand why organisations want or have their data; on what basis the data is being processed; who it is being shared with; how it is protected; how long it is kept for; that it is kept up to date; that permission to process can be changed / removed.
This transparency underlines everything.
Action to Take
So how do you get your organisation to where it needs to be?
- The first step is engagement – are senior management engaged with the GDPR changes? If they are not, they need to be. Once senior management are engaged, the rest of the staff need to be. Data Protection affects all aspects of most organisations.
- The second step is understanding and documenting the data you have. Simple questions can help you to document the data: around what categories you hold; the basis for holding / processing this; the processing you carry out; if you share this with others and why / what basis; how and where you hold / process this data; how is this secured; how long is it kept for.
- The third step is to use your understanding of the information you have and to create a Data Protection Policy and Data Protection Notices for all individuals that you hold data on. This should be very transparent about the data held and processed as above. You may need different ones for customers; suppliers; employees and contractors, amongst others.
- Next, ensure that you have processes in place for such practices as; updating data; removing consents; reporting breaches and responding to subject access requests.
- Finally, train your staff and include data protection terms in contracts with other organisations that handle data on your behalf, or vice versa.
Before May and beyond 2018
The Data Protection Bill is due to be passed before the GDPR comes into effect in May. The Data Protection Bill will bring the GDPR into UK law and will add and clarify additional elements.
The Article 29 Working Party (an EU advisory who drafted the GDPR) and the Information Commissioners Office (ICO) have and will continue to produce guidance on the various aspect of GDPR and, for the ICO, on the Data Protection Bill. The ICO have a lot of good practical advice on their website, including useful checklists and myth-busting practical guidance for different types of organisations.
Of course, with GDPR being a European regulation, there is the issue of Brexit. It has been confirmed by both Elizabeth Dehham and Theresa May that the UK will continue to follow GDPR post Brexit, so crack on, don’t panic and remember, this is an ongoing process.