May 4, 2017 / By Ryan Hirst
Preparing for The General Data Protection Regulation (G.D.P.R.)
What is G.D.P.R.?
The G.D.P.R. is a regulation by which the European Parliament, the European Council and the European Commission, intend to strengthen and unify data protection for all individuals within the European Union.
What’s going to change?
G.D.P.R. is based on the main concepts and principles of the Data Protection Act. Meaning that most of your approach to compliance will remain valid under G.D.P.R. and will be a strong starting point to build from. But not everything is going to be the same. There are some significant elements which will require your attention.
When is this change?
As of the 25th of May 2018 G.D.P.R. will come into force. Everon believe that it is important to start planning your approach to G.D.P.R. compliance as soon as possible and gain buy in from key stakeholders within your organisation. You will also need to be prepared to deal with the new transparency and individuals’ rights provisions that will come with G.D.P.R. This could have a big impact on budgetary, IT, personnel, governance and communications of your organisation.
How to prepare for the G.D.P.R.
Everon have set up 5 best practice steps to take to prepare for G.D.P.R..
Firstly, it’s very important that you make sure that the decision makers and any other key stakeholders within your organisation know about the change to data protection and the significance of G.D.P.R. before it comes into force. You need to consider the impact that GRPR is likely to have on the different parts or your organisation and what problems could be caused under G.D.P.R.
As with anything in life, you usually find that those that leave preparation to the last minute tend to struggle with the change a lot more than those that have prepared in good time. Therefore, it is important that your organisation should use the time between now and the 25th of May 2018 to prepare.
Information You Hold
You must document the personal data you have, where this data has come from and who you share the data with. If any errors or omissions are discovered in the data you hold and that data has been shared with another organisation you would have a responsibility to let this organisation know so that the data can be corrected. Without accurate records this will not be possible.
Communicating Privacy Information
We recommend reviewing current privacy notices and creating a timeline to make any necessary changes in time for G.D.P.R. implementation.
Currently you are required to provide certain information, such as your identity and how you intend to use the data you are collecting. Normally this is done through a privacy notice. This requirement will continue under G.D.P.R. with some additional information requirements. For example, you will need to explain the legal basis for processing data, your data retention periods and that individuals have a right to complain to the Information Commissioners Office if they believe there is an issue with the way you are handling their data.
To ensure compliance with individual’s rights, standardised procedures will need to be implemented or reviewed. This will include how personal data is retained and deleted; if you provide data electronically the format used.
The most important rights for an individual under G.D.P.R. are:
- The ability to prevent direct marketing
- To have information erased if requested
- Subject access request
- To prevent automated decision-making and profiling
- To have inaccuracies corrected
- Data portability
Apart from some significant enhancements with G.D.P.R., the rights individuals will enjoy under G.D.P.R. are the same as the ones under D.P.A. There is no requirement to wait until the G.D.P.R. comes in to force to transition to the additional rights provided under G.D.P.R. You can transition now if you are ready.
The right to data portability is an additional right not currently available under the D.P.A. It is an enhanced form of Subject Access Request. An individual can request data held about them be provided electronically and in a commonly used format. Lots of organisations might already use commonly used formats and offer the information electronically but for those who don’t, it will be a good time to revise your procedures and make any necessary changes.
Subject Access Requests
When G.D.P.R. comes into force there will be a new timescale for Subject Access Requests and in most cases, it will not be possible to charge for complying with a request.
You will in most cases have one month to comply, rather than the current 40 days.
There will be different grounds to refuse to comply with or charge for a subject access request. You may refuse or charge because you believe the request to be manifestly unfounded or have received excessive requests. However, if you want to refuse or charge for a request you will need to demonstrate why by having standard policies and procedures in place.
For those individuals making a request, you will need to provide data retention periods and provide the right to have inaccurate data corrected. For organisations that deal with large numbers of Subject Access Requests the impact of the change could be considerable; the logistical implications of having to deal with requests at a quicker pace and providing additional information will need to be carefully reviewed. Organisations should consider conducting a cost/benefit analysis of providing online access.
You should make sure you have the right processes in place to detect, report and investigate a data breach.
G.D.P.R. will require breach notification for all organisations, now only some organisations are required to notify the Information Commissioners Office when they suffer a personal data breach. Not all breeches will require notification, only those where the individual is likely to suffer damage, such as through identity theft or a confidentiality breach must be notified to the I.C.O.
Organisations should start now to ensure they right procedures in place to detect, report and investigate a personal breach. This could involve assessing all your data and assessing which ones you should document if they fall within the notification requirement in case of a breach. For example, if a breach might leave someone open to financial loss, you would have to notify the individuals whose data has been breached. Policies and procedures would be expected to be set for in case of a data breach. If you fail to notify to a breach, you could be fined for this and fined for the breach itself.
If you use Microsoft Office 365 or an on premises server, the I.C.O. has indicated that Intrusion previsions systems should be activated and monitored on these systems to detect a breech as part of your due diligence.
Everon can assist with the implementation of these systems. And provide ongoing monitoring.