The EU’s General Data Protection Regulation (GDPR) is set to come into force in May 2018. Many of its principles are the same as those of the current Data Protection Act (DPA) which it will replace, therefore for those businesses who comply fully with the current law most will remain valid under GDPR.
The premise of GDPR revolves around the handling of personal data of EU citizens and what is necessary in order to protect it (note that the government has stated that this will remain in force post-Brexit). Given that this includes all data gathered pre-May 2018 and thereafter it requires that a business is able to demonstrate that it has taken all reasonable steps to ensure that it has sort consent of individuals to hold specific information going forward. What is deemed as ‘data’ is any information that can identify a person (and these can include social media comments or even an individual’s personal computer IP address).
Any business who during their daily activity collect individual information must have processes in place which will allow requests from an individual (known as a ‘Subject Access Request’), for their data to be identified and thereupon either edited or deleted as part of the ‘right to be forgotten’.
A business must be able to demonstrate how it stores securely personal data outlining the protocols that are in place to ensure that it cannot be penetrated, stolen or shared without the authorisation of the individual. Additionally, it necessitates that staff are trained and a policy (which can be shared upon request) is in place to protect and manage said information held. Organisations are grouped based on their activity according to the following:
Controller
An organisation that determines the purpose under which personal data is processed. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity.
Processor
An organisation that processes and stores personal data on behalf of a controller.
The following suggests what steps can be taken to conform to GDPR
1st Step
Audit
We recommend that an audit is undertaken which will identify data held and on what basis and how this is accessed internally or externally of an organisation. By doing so it will allow for an understanding of:
- Where and what data is being held
- What consent is attached to said data in its entirety or in part
- Who has access to it and under what role/ access rights these are granted
The likelihood is unfortunately that part of the above will not have been either sort initially or collected as part of holding data and therefore GDPR requires that consumers are re-engaged to seek anew ‘consent’ to hold data for the purpose of providing a service to that individual.
2nd Step
Actions
Having undertaken an audit of data and internal protocols an organisation must determine whether these conform to GDPR or require improving.
In terms of protocols, depending on the size of organisation this may require the creation of a new role identified as the ‘Data Controller’ whose responsibility is to monitor the organisation’s data policy activities.
An organisation must train staff who access personal data to ensure that they are compliant with the GDPR policy.
Whatever system is employed to hold personal data must have the means to easily access an individual’s information and, based on the request, update/ delete it.
Any current processes employed for data capture should contain an ‘opt-in’ function as it will no longer be acceptable to imply consent either by statement or pre-ticked box.
With regards to personal data held, it is recommended that an organisation looks to run a ‘permissions’ campaign(s) to seek new consent which would allow not only to conform to the ‘opt-in’ protocol but also the basis upon which future content can be sort given that such consent requires regular updates (note that the period of consent is not identified specifically).