GDPR – It’s scary isn’t it?
Yesterday a few associates got around to talking about the General Data Protection Regulation (GDPR) which will become EU (and UK) law in late May 2018. I must admit that I did steer the conversation on to the topic but without exception they all said that they were scared about what was to come with GDPR and how they could comply. The unfortunate myth that consent must be obtained to process personal data was a side topic, but as I discussed recently (as did the Information Commissioner) this is not always the case.
Don’t be scared – plan for it
I can well understand why organisations might be scared as even the Information Commissioner’s Office (ICO) is still to come up with guidelines particularly with regard to obtaining consent and even something as basic as what age a child is (although the GDPR introduces new regulations to safeguard children and their personal data, it fails to specify below what age a person is considered to be a child and leaves that to member states, which could be as low as 12 in at least one state and at least 18 in possibly two others; the UK is yet to decide but the ICO says “probably 13″).
However GDPR should be tackled in the same way as we approach any everyday business project. We do this by implementing the correct administrative procedures for the tasks involved. For GDPR compliance you should:
- Determine the requirements for your own organisation’s handling of personal data;
- Determine the requirements for your suppliers handling of personal data which you provide to them;
- Determine the requirements for the systems you use for collecting processing personal data.
For many organisations, keeping the personal data they handle safe, is nothing new, especially if they already have robust Data Protection Act 1998 procedures in place (you do already have that don’t you?). What is new is that the GDPR requires organisations to document data collection and processing policies and procedures before you go about doing it. Then, it must be possible to show on-going compliance with your own policies and procedures. Not forgetting to determine the lawful basis for doing it as well!
So what should you start to do?
Simplify the process by splitting your route to compliance into manageable stages:
Phase 1 – Identification. You need to define what your organisation’s core activities are. This includes such things as understanding who your data subjects are, where the personal data is collected and stored, who has access to the personal data, and the processes in which the personal data is used?
Phase 2 – Gap Analysis. The results of the identification phase are compared with the requirements set out in the GDPR so that it is clear what gaps your organisation has with regards to complying with the regulation, and so you know what additional procedures you will have to design.
Phase 3 – Privacy Impact Assessments (PIA). A PIA is an assessment tool which identifies the potential effects on your data subjects’ personal privacy and your organisations ability to comply with the GDPR caused by the collection, storage and processing activities you identified in phase 1. And then, most importantly, how detrimental effects can be mitigated. If you are familiar with health and safety risk assessments then this is a similar process. Your PIAs should feed through to your design process so that you are taking a privacy by design approach.
Phase 4 – Contingency Planning. This is an important part of your design process. In cases where a leak of personal data does occur the GDPR contains a new requirement that organisations must inform the relevant authorities. As a minimum you must be able to identify:
- What types of personal data were leaked?
- How many data subjects does the leak involve?
- What are the consequences to those data subjects?
- What has been done to ensure that this does not happen again?
Phase 5 – Awareness. Ensure that all your staff are familiar with their responsibilities and the procedures you have designed to collect, store and process personal data. To some this will be new, and so time needs to be taken for training.
Phase 6 – Implementation. You should now be ready to collect, store and process personal data in compliance with the GDPR.
Phase 7 – Ongoing Management and Monitoring. It is not just a case of implement and forget! You must be able to show on-going compliance with your own policies and procedures. So in your design process don’t forget to include this.
There is no doubt that complying with the GDPR will involve a lot of work but if you take a staged approach it should not be a headache and it should certainly not be scary come May 2018.
GDPR Preparedness Toolkit Seminar
This 2 hour seminar will help you, as you take your first steps towards compliance by sharing practical insights about implementing a data security based approach in line with the Regulation. You will learn about:
- Why you have to comply with the GDPR and what might happen if you don’t.
- The GDPR’s direct effect on your business and the transition timelines.
- The steps to take in preparing for compliance.
- The technical and organisational measures your business will need to adopt to comply with the Regulation.
- A key assessment toolkit you can use to help you to achieve compliance.
The seminar will be held at The Birch Hotel, Heywood with easy access to the M60, M62 and M66 on:
Wednesday, 27th September 2017, 14:00 to 16:15– SOLD OUT- Wednesday, 25th October 2017, 14:00 to 16:15
- Wednesday, 29th November 2017, 14:00 to 16:15
Standard tickets are £25.00
Early Bird Discount tickets are £15.00 (available only if you book within 14 days of the seminar)
Contact us on 0345 319 4887 to book or book online with Eventbrite.