Data protection compliance
The Data Protection Bill, currently making its way through Parliament, will bring into force General Data Protection Regulations (GDPR) on 25 May 2018.
The Data Protection Bill is likely to become the Data Protection Act 2018 and this Act, along with the regulations (GDPR), represents the third and most significant iteration of data protection legislation in the UK. The legislation will apply to ‘data controllers’ (organisations that collect data from data subjects) and ‘data processors’ (organisations that process data on behalf of the data controller e.g. cloud service providers). GDPR therefore applies to all organisations from the self-employed sole trader to large corporates.
There are a significant number of changes within the new regulations, some which are outlined below:
- Changes in terminology
- Changes in accountability and responsibility, including the requirement to appoint a Data Protection Officer (DPO) under certain circumstances
- Changes to the notification of data breaches affecting the rights and freedoms of individuals
- ‘Privacy by Design’ is now a legal requirement
- The six lawful bases for processing are now defined
- Consent must now be explicit for the data collected and the purposes the data is used for
- Changes in responsibility for data processors
- Stricter rules on transferring personal data outside of the EAA (this includes cloud-based services situated outside the EAA)
- Changes to subject access rights and requests
- The requirement for better record-keeping
- An increase in fines for non-compliance (non-compliant companies and individuals can be fined up to £20 million or 4% of global annual turnover).
Preparing for GDPR
The new legislation will be based significantly on the EU General Data Protection Regulations, with some national variations.
Six personal data processing principles are enshrined in Article 5 of the GDPR. Most of the other Articles define the regulatory controls which are necessary to ensure that these principles can be upheld. It is essential that you understand what you will be required to do to ensure that you comply with the new legislation and GDPR and that you plan and implement any changes which are necessary. Fundamentally, you need to understand the risks to the rights and freedoms of your data subjects.
A key aspect of this work will be for you to understand and document the information you hold and review the lawful basis for controlling and processing that information. Other activities that you may be required to undertake include; reviewing how you obtain and record consent; how you handle data breaches, reviewing and amending privacy notices, amending procedures for subject access requests and undertaking a data protection impact assessment. Your organisation will need to consider all of its organisational and technical controls, from IT systems, communications systems and materials, and enquiry handling processes through to your relationships with suppliers. You will need to consider whether you transfer information outside of the UK/EEA and ensure you have an appropriate legal basis to do so depending on the final definitions of the Bill.
How we can help
To help you navigate your way through this legislation and be able to demonstrate compliance, we can help you understand and implement the wide range of organisational and technical controls demanded by the regulations.
Our senior consultant is a certified GDPR practitioner with over 30 years’ experience in risk management, safety, compliance and assurance in highly-regulated environments.
We can offer:
- A consultancy service – we can help you to review your current organisational and technical controls, helping you to do all the necessary work to be compliant with GDPR. With our technical partner we can also help you develop and implement the appropriate technical controls.
- A half-day briefing for your Board or senior team – we can give a detailed overview of the key changes in legislation and things you need to consider.