In May 2016, the long-discussed General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 to give it its official nomenclature) entered into force. Don’t panic though – it won’t apply until 25 May 2018. Although that’s soon enough, given what it requires.
As a European regulation, it applies automatically to all countries in the European Union. And for the time being at least, that includes the UK.
Here FOIMan brings you free resources, links and suggestions as to how to prepare for GDPR. There’s more to come, so make sure you bookmark this page. Most importantly, there’s no time to wait – begin your preparations now.
GDPR is coming, BREXIT or not
There are 4 key reasons why you need to prepare for GDPR whatever happens in the UK:
- if you do business in Europe or handle information about those who live in the EU, you will have to comply with GDPR.
- if the UK joins the European Economic Area (EEA) – the “Norway option” – it will remain subject to GDPR when it leaves the EU.
- if the UK adopts another flavour of BREXIT, businesses and others will face extra hurdles every time they want to exchange data with institutions in the EU unless the European Commission judges its data protection regime to be “adequate” (i.e. substantially similar to the GDPR).
- the timing of BREXIT means that GDPR will apply in the UK at least until the UK leaves the EU – and probably beyond. The graphic opposite illustrates why (you can click on it to see a larger image). The latest indications from government (see answer to Q.72) confirm that GDPR will apply up to and beyond the UK’s departure.
Time to Prepare
Whilst the underlying principles of the Data Protection Act will remain (if worded differently), GDPR brings significant changes to the way that you are expected to apply them. Amongst the big changes on the way are:
- enhanced data subject rights including shorter deadlines for answering subject access requests
- more emphasis on demonstrating your compliance through processes and techniques used to manage personal data
- mandatory data protection officers, privacy impact assessments and data breach reporting
- more powers for the information commissioner including the ability to impose bigger fines of up to €20m or 4% of global annual turnover.
If you are going to be ready for the new rules, you need to start preparing now (or yesterday if possible). Here are some hints and tips on where and how to start.
Transparency, Conditions & Consent
If your customers, clients, employees and others don’t know what you’re doing with their data, then almost certainly your use of their data will breach the Data Protection Act as it stands now. GDPR though specifies in more detail what you need to tell them about how you handle this information. One of the biggest tasks in preparing for GDPR will be to review your privacy notices to see whether they meet these new requirements for transparency – the graphic opposite illustrates the things you need to tell people under GDPR (click on the image for a larger version).
The conditions in schedules 2 and 3 of the Data Protection Act are used to justify organisations’ use of personal data. Before you collect or use data for the first time, you need to identify a condition in schedule 2. If it falls under the “sensitive data” category, a further condition from schedule 3 is required.
There are similar conditions in the GDPR, though there are some changes. Public sector bodies will be particularly affected by the way that the “legitimate interests” condition works under the regulation. The most significant development though relates to the use of consent to justify use of data, which will affect most organisations. If you rely on this to support your use of people’s data – perhaps for marketing or other purposes – there will be stricter rules in future. The graphic opposite summarises the new rules on consent (again, click on the image for an expanded view). A key point to remember is that individuals can withdraw consent – and that you have a duty to remind them of this. It’s all about giving them control over the data that you hold about them.
If all of this seems daunting, the information commissioner has published new guidance on privacy notices, transparency and control which provides recommendations of best practice in meeting these requirements in a range of circumstances – online, over the phone, and even where data is collected by objects in the home in this era of the “internet of things”.
Planning and Change
There are many other things that you need to be working on. If you haven’t already, you should consider setting up a programme board to oversee a change management programme. The Information Commissioner’s Office (ICO) has identified 12 steps that will help you to prepare your initial programme plan. A few things that you should prioritise are listed below. I’ll be providing more information on these in due course, but in the meantime, where possible, I’ve indicated where else you can look for guidance.
- appoint a data protection officer (Act Now Training’s Blog Now)
- review how you communicate what you do with people’s data (i.e. privacy notices)
- look at where you rely on consent and consider whether you need to take action – can you prove that you have consent?
- identify information assets (National Archives guidance) – especially those containing personal data – and maintain an information asset register
- ensure that your records retention schedule (National Archives guidance) is up-to-date and that you have systems and procedures in place to ensure that it is applied
- review your standard contractual terms and existing contracts to ensure that you include requirements specified at GDPR Article 28 (GDPR text on EUR-LEX)
- make sure that you know when data is transferred or stored overseas and that you can demonstrate that adequate protection is in place (ICO guidance)
- integrate privacy impact assessments (ICO Code of Practice) into your project and risk management procedures
- consider whether there are ways to streamline the way that you meet individuals’ rights, for example their right to access their data by making subject access requests
- think about how you will identify and report data breach incidents quickly – do your colleagues know what to do if they notice something has gone wrong?
- raise awareness of GDPR and ensure colleagues receive data protection training
You might not get all of this done by May 2018, but you should get as much done as possible. Improving and demonstrating how you handle personal data will be a continually evolving process that won’t stop on 25 May 2018.
How FOIMan can help
FOIMan can provide the following to help you to prepare for GDPR:
- free resources, such as the graphics above, to help you understand GDPR and explain it to your colleagues – you’ll be able to access these via this web page so make sure you bookmark this page
- in-house training courses and workshops tailored to your organisation
- surveys to identify what information you hold
- audits of your data protection compliance
- drafting of policies and procedures
- and more…
The following are resources available from other organisations that may help you to understand what GDPR means for you.
General Data Protection Regulation – the text of the regulation as published by the European Union
The European Data Protection Supervisor (EDPS) has produced an App that allows you to read the GDPR (and the separate crime and justice data protection directive) and compare its various drafts which is available for download from App stores.
Information Commissioner’s Overview of GDPR
This page will be expanded and resources added over time, so please keep visiting for further information about the GDPR and data protection reform.