Data protection law is changing with the advent of the General Data Protection Regulation (GDPR) in May 2018. In the past two weeks we’ve looked at how the GDPR defines personal data, and how individuals’ rights to consent will change. In the third of our blogs, we look at how organisations can ensure proper accountability and governance for data protection. This covers all aspects of data ‘processing’, i.e. the capture, storage and transfer of personal information which could identify an individual.
GDPR personal data: make sure you know why you need to keep it
The GDPR includes provisions that promote accountability and governance for protecting personal data if you process it. While accountability has previously been implicit in data protection law, it’s become more important under the GDPR. Put simply, accountability requires you to process personal data lawfully and accurately in a transparent manner. You must have a specific and legitimate reason to process it, and keep the data for no longer than is necessary for that purpose. And clearly, you must secure the data against unauthorised use or accidental loss. Most importantly, the GDPR explicitly states that it’s your responsibility to show that you meet these requirements.
In order to demonstrate compliance, you must ‘implement appropriate technical and organisational measures’. This should include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies. You have to maintain relevant and detailed documentation on data processing activities, including your decision-making process as to why you process this information. You’ll also need to appoint a data protection officer if you’re a public authority or if you carry out large-scale systematic monitoring (for example, online behaviour tracking). Even if that’s not the case, it will help to have a single point of contact for individuals and data protection authorities.
Designing and assessing your data protection processes
Key elements of governance include privacy by design and data protection impact assessments, which will now be legally required in certain circumstances. Privacy by design means that you must be able to show that you’ve considered and integrated data protection into all your data processing activities. Measures might include processing the minimum amount of data possible, holding data in a format which means it’s less easy to track back to an individual (‘pseudonymisation’), and improving security features for your data storage on a regular basis. The UK’s data protection authority, the Information Commissioner’s Office (ICO), has already been encouraging organisations to do this.
Meanwhile, data protection impact assessments (also known as privacy impact assessments, PIAs) are a tool to help organisations comply most effectively with their data protection obligations and meet individuals’ expectations of privacy. Under current legislation, the ICO has promoted the voluntary use of PIAs, and has issued a code of practice for PIAs (including what should be included). Under the GDPR, you’ll be required to carry out a PIA when you start using new technologies to process data, or for certain categories of data (for instance, relating to an individual’s police records).
Another way of demonstrating that you’ve taken accountability and governance seriously is to adhere to approved codes of conduct and/or certification schemes for your sector. We’ll be looking at codes of conduct in more detail in next week’s blog.
Ultimately, it’s important that everyone in your organisation understands their individual responsibility for data protection, so do keep staff up-to-date with training. But as employees, they need to be aware of their rights around the personal data which your organisation holds on them too.
CAS is a market leader in preparing for the changes which GDPR will bring. Whether it’s our document storage or scan-on-demand services, you can rely on us to help you meet your data protection responsibilities. And this extends to our office removal and data disposal services too. Your clients’, customers’, service users’ and employees’ data is always safe and secure with us. Call one of the CAS team now if you’ve got any questions about any of our services.
For a free, no obligation quote please contact our specialist team
About Clarks CAS
CAS provides comprehensive and secure document digitisation, information storage and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control in keeping your files safe and well managed.