Did you know that Data Protection law is changing on 25 May 2018? If you run a business (large or small), you need to be aware and ready for the introduction of GDPR.
Under existing regulation, the Data Protection Act (DPA), if you hold and process personal information about your clients, employees or suppliers, you are legally obliged to protect that information. You must:
- only collect information that you need for a specific purpose;
- keep it secure;
- ensure it is relevant and up to date;
- only hold as much as you need, and only for as long as you need it; and
- allow the subject of the information to see it on request.
Many of the GDPR’s main concepts and principles are much the same as those in the current DPA, so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and enhancements, so you may have to do some things for the first time and some things differently.
Where to start?
Whilst a simple internet search returns numerous hits related to GDPR, many of these relate to consultancies offering their services for the implementation of, and compliance with, GDPR. For small businesses however, the use of a consultancy is not necessarily required, nor is it a cost-effective solution.
Rather, it may be more appropriate for small businesses to use the guidance and self-assessment tools provided by the Information Commissioner’s Office (ICO) which is the approach being undertaken by Glow Virtual Assistants (https://ico.org.uk/for-organisations/business/).
The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO is an executive non-departmental public body, sponsored by the Government Department for Digital, Culture, Media & Sport.
Consultation on certain aspects of the regulation is being invited during January and February 2018, therefore it remains something of a moving feast.
The ICO is the UK’s representative on the EU Working Party producing the GDPR regulation, therefore is in a prime position to disseminate the evolving requirements.
What information does the GDPR apply to?
GDPR applies to Personal Data and Sensitive Personal Data:
- Personal data
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised e.g. key-coded, can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
- Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data”.
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
What do I need to know before completing the ICO self-assessment?
GDPR applies to ‘controllers’ and ‘processors’, so you need to understand which category you fall into, or maybe both (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/)!
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What about understanding the personal data I have?
One of the key steps to GDPR compliance is understanding and documenting the personal data that you hold and use as part of your business.
The recommended approach is to conduct an information audit to map data flows and document what personal data you hold, where it came from, who you share it with and what you do with it etc.
The information audit is a good starting point as it’s required for GDPR compliance, but it’s also good housekeeping practice.
So how do I get started?
Well, we’d recommend you start to write yourself an Action Plan, including the points we’ve mentioned in this post. The ICO self-assessments will drive what else you need to do, so you can add these into the Action Plan once you know.
(Depending upon the complexity of your business and how you currently manage data, the Action Plan could simply become a checklist to confirm that you are already in compliance, but equally it may identify, for example, existing procedures requiring change, or new procedures to be implemented.)
And don’t forget, GDPR is being implemented on 25th May 2018, so your Action Plan needs to work back from this date!