In just 100 days, the new General Data Protection Regulation (GDPR) comes into effect in the UK and across the EU. And, if you think Brexit means you don’t have to think about it, think again. The UK government announced last year that GDPR will still take precedent in British law. Here is a quick outline of the details and just how CAS can help with compliance around data storage and document archiving.
100 days to GDPR Data protection
The GDPR countdown clock is ticking away, but there is some continuity. Importantly, the Information Commissioner’s Office (ICO) remains the UK’s data protection authority. They have published a GDPR Guide; it includes checklists for data processors and data controllers. They’ve also produced a document detailing ‘12 steps to take now’ for GDPR compliance.
Most companies need to think about the basics. They must make sure that personal data they collect actually needs to be ‘processed’ for business operations. ‘Processing’ means collecting, recording, storing and sharing personal data. They must identify the legal basis for the processing activity, and maintain records of any such activity.
Consent must be explicit
When you collect personal data, you currently have to give people certain information in a privacy notice. The GDPR requires additional information in this notice, including specifying your lawful basis for processing data and your data retention periods. You should review your privacy notices and plan to make any necessary changes in concise, easy-to-understand and clear language.
You should also review how you seek, record and manage consent and whether you need to make any changes. Under the new GDPR standard, consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in, so that consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
For the first time, the GDPR brings in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. The crucial element is obtaining parental or guardian consent for any data processing activity. For some organisations, you’ll need systems in place to verify individuals’ ages, to avoid holding children’s personal data inadvertently or without requisite parental consent.
100 days to GDPR Enhanced rights and enhanced systems
GDPR both enhances data protection rights and increases requirements for companies to take care of data. For many organisations which comply with the current law, this is a key area where they need to tighten procedures. You’ll need a subject access system to provide data electronically and in a commonly used format on request (the right to access). And you’ll need a system to prove you have deleted personal data (the right to erasure).
In essence, GDPR requires that data protection is transparent. GDPR updates rights for a networked world, so it’s vital to keep records of who you share personal data with too. So, if a business has inaccurate personal data and has shared this with another organisation, they will have to advise them about the inaccuracy so they can correct their own records.
You must report breaches of date protection
A vital element is having procedures in place to detect, report and investigate a personal data breach. The GDPR introduces a duty on all organisations to report certain breaches to the ICO. In some cases, you’ll also need to report directly to the individuals affected, if a breach could result in significant economic or social disadvantage such as discrimination, damage to reputation or financial loss. Not only do organisations face fines for the breach itself, but there are also fines for failure to report a breach when required to do so.
Training staff about data protection
You should designate someone to take responsibility for data protection compliance. For many organisations, this will mean formally appointing a Data Protection Officer; indeed, this is a requirement for such organisations as public authorities. But from key decision makers to customer-facing staff, it’s vital that everyone is aware that GDPR is coming. So you should implement a training system so that everyone understands the impact GDPR will have on their day-to-day operations.
CAS is here to help you meet your data protection requirements
When GDPR takes effect, we’ll be maintaining the excellent standards which we have under current data protection legislation. We’ll keep your data safe and secure if you use our document storage or scan-on-demand services. And our office removal and data disposal services maintain data protection as a key consideration. There are just 100 days to GDPR, contact one of the CAS team now to discuss how we can help you during, and after, the GDPR countdown.
About CAS GDPR compliant document storage and management
100 days to GDPR, are you ready? CAS provides comprehensive and secure document storage and management, scan on demand, and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control in keeping your files safe and well managed.