We recently spoke to one of our senior Associates and he had some very interesting things to say:
REMEMBER the Y2K Millenium bug? Well, the looming General Data Protection Regulation is not quite as scary. Yes, there is a D-day (or G-day?) deadline when GDPR becomes legally enforceable. However, it is a known quantity; we can see what’s coming – and this doesn’t include the end of the world as we know it.
The National Housing Federation website recently reminded members that they should be aware that the new EU General Data Protection Regulation (GDPR) will be implemented on 25 May 2018. It is also clear that Brexit will not affect the commencement of the GDPR in the UK.
GDPR affects all businesses, large and small, and includes Third Sector organisations. Since ratification in 2016 when GDPR became law, a 2 year implementation period ensued. Actual enforcement starts on 25th May 2018. So, soon one of the most significant changes in data protection legislation for many years is just on the horizon.
Despite the clear enforcement date, the Information Commissioner’s Office (ICO) has indicated reassuringly that, “GDPR compliance will be an ongoing journey.” This means that it is expected that we’ve already struck out on the journey and are progressing steadily to ensure that no stone is unturned in pursuit of the full-compliance destination.
Where will the Journey take us?
Alignment of your organisation’s procedures is needed to ensure they cover all the rights individuals have under the GDPR.
The 1998 Data Protection Act (DPA) gave protection and lay down rules governing how data about people can be used. This covered information or data stored on computers or within traditional document filing systems.
The GDPR has been designed to give people much better control over their personal data – and brings new kinds of personal data under the regulation. Almost ALL personal data is protected under GDPR.
The new legal framework imposes very restrictive, enforceable data handling principles. Your key decision makers and managers must be aware of the broader scope that the regulation encompasses.
What’s in our backpacks?
Greater data protection obligations now weigh on an organisation’s back. It is clear that the GDPR journey will be somewhat more arduous than the more familiar DPA road, now well travelled.
The penalty burden for non-compliance has grown to 100 million Euros. The ICO already has a strong focus on staff training and awareness as the key to avoiding the damage and ramifications of breaching the law. In response to the severity of falling foul of the law, organisations will recognise that Data Protection Training must be mandatory. It is noteworthy that a Data Protection Officer (DPO) must be appointed in many cases – in fact, upwards of 28,000 new DPO positions within the EU are anticipated to be made.
–Data Protection Training must be mandatory–
Here are just a few examples of areas of the legislation that will impact on nearly every organisation:
- Individuals must be informed as to exactly what personal data is being collected and how it will be processed and used
- Your organisation must prove valid affirmative consent for using personal information
- Are your processes for establishing consent valid under the GDPR?
- Data protection authorities must be informed of a data breach within 72 hours
- Your organisation must constantly monitor for breaches of personal data
- “For many organisations, this may require quite a bit of training. It may also require making changes to internal data security policies and how this is promoted in the organisation to ensure data breaches are properly understood and will be recognised easily.”— Karsten Kinast, privacy lawyer
- Individuals have the “right to be forgotten”
- Your organization must not hold data for any longer than absolutely necessary, and not change the use of the data from the purpose for which it was originally collected
- Do you have processes, software and equipment ready to completely erase data as required under the GDPR?
Put your best foot forward
The GDPR is a broader road. Your organisation will undoubtedly need to adjust the pace and approach to data protection. An information audit will likely be needed and may serve well as a springboard to full-compliance. This means documenting what personal data you hold, where it came from and who you share it with. A more nimble response to subject access requests is now essential to comply with reduced deadline.
It’s not the end of the world, but with the May 25th deadline in sight, these changes present a real challenge and something of a burden to all organisations. GDPR is a new reality to be faced and dealt with. It is now time to step up to the line and – in the words of one famous sports shoe manufacturer – “just do it.”
The good news is LBL Skills can help.