GDPR is on its way – find out what your responsibilities are to avoid falling foul of the new data protection regulations in our first guest blog by Andrew Rastall of Connecting Element.
GDPR is coming and most industry verticals do not appear to be aware of their impending responsibilities let alone be ready for the new rules that will come into force in May 2018.
GDPR stands for the General Data Protection Regulations and they are a piece of European legislation that:
- Will be wholly adopted by the UK, regardless of Brexit;
- Is essentially an evolution of our current Data Protection Act – but with teeth (with fines for non-compliance and an effective enforcement regime); and
- Will practically impact almost every size of business.
Having just taken the GDPR practitioner course, my feeling is that the appearance of GDPR on the UK’s statute books on 25 May 2018 will have parallels to the arrival of meaningful Health & Safety regulation in 1974. Where H&S put a duty on employers to ensure the health, safety and welfare of all their employees at work, GDPR will put a duty on anyone that collects, stores or processes personal data to do so responsibly and legally. We’ll all be needing to review and, most likely, change the way we do certain things.
Like H&S, data protection will become part of the culture of every organisation, and if you’re caught not complying you will be penalised.
What is GDPR trying to achieve?
GDPR is essentially seeking to protect our personal information from misuse and abuse. So, despite the new regulations placing a burden on business, their fundamental premise is to protect that most valuable of assets in an increasingly digital world: our private data. That means you’re in if you do any of the following:
- Run a payroll;
- Use a security camera;
- Offer employees work mobiles; and
- Send marketing emails to clients and prospective clients.
What data is within scope of GDPR?
Articles 1 and 2 of the regulations define ‘in scope’ data as any information of a living individual that can be used to identify them and that’s processed by you. That is to say collected, stored or used in any way.
The data categories that are held by most businesses and that would fall under GDPR include:
- Client contact details;
- Employee & HR records; and
- Supplier records.
What do businesses need to do to be GDPR compliant?
That’s actually a pretty big question and practically the answer will be different for every business, association or individual trader. But in broad terms, your action plans for compliance will fall under three headings. You’ll need to:
- Be informed and accountable;
- Be secure and compliant; and
- Obtain consent and protect rights.
Informed and accountable
To be informed and accountable means that the correct people within an organisation need to understand their responsibilities and rights under GDPR. This will involve appropriate training.
- Owners, partners and board members will probably need some sort of presentation-based training to understand their responsibilities.
- Some organisations will need to hire or appoint Data Protection Officers who will at a minimum need to go on more detailed and accredited training courses.
- Selected staff will need 1-2 hours of training to make them aware of how GDPR affects their roles. This could conceivably be delivered via e-learning.
Secure and compliant
- Every organisation, no matter what size, will probably need to undertake a data mapping exercise (DME) from which all other practical actions will flow.
- Following the DME, any processing that could put personal data at risk will probably need to undergo a Data Protection Impact Assessment (DPIA).
- Recommendations that result from the DPIA will then need to be implemented.
Obtain consent and protect rights
- Once an organisation’s data processes are compliant, and if they wish to market to their data subjects (customers), they will need to obtain their data subjects’ consent.
- The processing of various data categories for certain things is dealt with under six principals and on six different legal bases by GDPR. There are also specific personal rights concerning the data that all businesses will need to respect.
- The big change for most of CE’s clients will come around consensual data processing. The processing of personal data for marketing purposes is definitely subject to GDPR and will require both client and agency to make practical changes to remain compliant.
What practical actions will you need to take to be compliant?
It’s impossible to summarise an answer to that question, as the absolute impact will be different for every organisation. However, given Connecting Element’s existing insight into data collection, storage and processing, our first practical step will be to sit down with the leaders of businesses we work with to explore and explain the detail of what GDPR will mean for them.
With the help of our partner Connecting Element, Brookes & Co will be building a GDPR layer onto our existing expertise and practical experience in operating within the DPA and sharing this insight. To be compliant by D-Day (Data Day) on 25 May 2018, you’ll need to take action soon.
If you’d like a chat about how we can help you become compliant, get in touch by emailing Kate Newton at firstname.lastname@example.org or give us a call on 01889 598600.