An update and reminder notice on General Data Protection Regulation (GDPR)
Current Data Protection Legislation
Currently anyone who uses and stores information about people who use their services, suppliers or their workforce must ensure that the data is held in accordance with the Data Protection Act (DPA), but this is changing to allow for changes in our ‘digital age’, and conformity across the EU.
Changes to Legislation
The GDPR comes into effect from 25 May 2018 and it is likely that it will affect all of our members as it applies to anyone who stores or processes another’s personal information.
It follows the same principles as the DPA, but with additional requirements on storage, consent, privacy and access. It includes the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling.
Key Terms
A ‘Data Processor’ is a person who processes data, and the term may apply to the majority of your staff as it includes someone who will look at, contribute to or store data. They will need to know about GDPR.
The person who is responsible for compliance with GDPR and principles is called the ‘Data Controller’. All organisations who process personal information will need to nominate someone to this role.
What do I need to do?
Here’s a short overview of some steps which should be taken. This is not an exhaustive list:
- Appoint or nominate a Data Controller
- Write a policy explaining your Privacy Policy, why you hold information, why you may have it in different formats (e.g. paper and digital), how you will address the rights listed above and what happens in the event of a data breach (escalation and notification). Make sure this is available and visible.
- Write and act upon your digital strategy to ensure data is stored using encrypted hardware, and software which is GDPR compliant (most big software providers should already). Be careful of USB pens.
The Information Commissioner’s Office (ICO) enforce data protection so are the experts on compliance. They have easy-to-read materials available for free, as well as a handy helpline to ensure that you are GDPR ready (number below).
They have produced a 12 step guide to preparing for GDPR:
https://storage.googleapis.com/scvo-cms/media/1624219/preparing-for-the-gdpr-12-steps.pdf
As well as more detailed guidelines which are available here:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Data Breach
Any data breach needs to be reported to the The ICO within 72 hrs, as well as anyone affected. They are the UK’s independent body set up to uphold information rights. Non-reporting can lead to a fine.
Information and support
For further information and support, please contact the ICO directly
https://ico.org.uk
ICO Helpline: 0303 123 1113