Over the past weeks, we’ve run a series of blogs to cover the General Data Protection Regulation (GDPR), which comes into effect from May 2018. This tightens up protections for individuals of their personal data, and increases requirements for organisations to take care of such data, including disposing of it if an individual exercises their right to be forgotten. In our final blog of the series, we take a look at steps which your organisation can take now to be ready for managing personal data under the new data protection regime.
GDPR managing personal data: finding out what is going to change
For many organisations who comply with the current law, it might seem like a big task to incorporate the new elements and enhancements of GDPR into their data protection practice. Thankfully, there is continuity as the Information Commissioner’s Office (ICO) will remain the UK’s data protection authority. One of their most important pieces of guidance is a document detailing ‘12 steps to take now’.
With enhanced individual rights, work out what data you need
When managing personal data, most organisations should start with an information audit. What personal data do you actually need to ‘process’ for your business operations? ‘Processing’ here means collecting, recording, storing and sharing personal data. You should check your procedures to ensure they cover all individuals’ rights, including how you would delete personal data (the right to erasure) or provide data electronically and in a commonly used format on request (the right to access). Critically, you must identify the lawful basis for your processing activity and maintain records of any such activity, so get into the habit of documenting what personal data you hold and where it came from.
The GDPR updates rights for a networked world, so it’s vital to keep records of who you share personal data with too. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell them about the inaccuracy so they can correct their own records. If your organisation operates in more than one EU member state, you’ll need to pay particular attention to any cross-border processing.
When you collect personal data, you currently have to give people certain information in a privacy notice, such as your identity and how you intend to use their data. The GDPR requires additional information, including specifying your lawful basis for processing data and your data retention periods. You should review your privacy notices and plan to make any necessary changes in concise, easy-to-understand and clear language.
‘No’ means ‘no’: get proper consent for data processing
You should review how you seek, record and manage consent and whether you need to make any changes. Under the new GDPR standard, consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in, so that consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
If your organisation deals with children, you’ll have to pay particular attention to their personal data. For the first time, the GDPR brings in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. The crucial element is obtaining parental or guardian consent for any data processing activity. For some organisations, you’ll need systems in place to verify individuals’ ages, to avoid holding children’s personal data inadvertently or without requisite parental consent.
Set up all your systems now – from subject access to breach reporting
The overall theme for GDPR is that data protection needs to be transparent. You should update your procedures and plan how you will handle requests from individuals as to what data you hold on them within the new timescales. Similarly, you’ll need to think about how to delete personal data if individuals exercise their right to erasure, and how you can demonstrate that this data has been deleted.
One vital element is having the right procedures in place to detect, report and investigate a personal data breach. The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals if it could result in significant economic or social disadvantage such as discrimination, damage to reputation or financial loss. Larger organisations will need to develop policies and procedures for managing data breaches, as failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Everyone in your organisation has a responsibility for managing personal data
You should designate someone to take responsibility for data protection compliance, and assess where this role will sit within your organisation’s structure and governance arrangements. For many organisations, this will mean formally designating a Data Protection Officer; indeed, this is a requirement for some organisations including public authorities.
Whoever is in charge of data protection in your organisation, it’s important to give them adequate resources (for instance, so they can carry out Privacy Impact Assessments to understand the implications of any changes to personal data you process). But from key decision makers in your organisation to customer-facing staff, it’s vital that everyone is aware that GDPR is coming – and the impact this will have on their day-to-day operations.
How CAS can help
If you’re one of our clients, then one thing you can rely on is that CAS is already future-proofed for the GDPR. We’ll be maintaining the excellent standards which we have under current data protection legislation. We’ll keep your data safe and secure if you use our document storage or scan-on-demand services, while our office removal and data disposal services maintain data protection as a key consideration.
Call one of the CAS team now to discuss all of our services and find out how we can help with managing personal data.
About Clarks CAS
CAS provides comprehensive and secure document digitisation, information storage and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control in keeping your files safe and well managed. CAS, offering 20 years of secure document storage in London.