Is GDPR the most annoying abbreviation for business?
We’ve heard it’s on its way but should we be worried? What do we really need to know about GDPR?
Tim Buff CEO of Agylia provides a must read summary of what's required.
GDPR means more protection for the individual. Pleased? Probably. Scared? No. Worried? Perhaps.
The European General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and will change how organisations are allowed to handle the information they have on individuals. With greater sophistication and significantly increased volumes of data held by ever increasing numbers of organisations, the old regime enshrined in the UK’s 1998 Data Protection is no longer considered fit for purpose. Backed by the threat of much heavier fines, GDPR promises a step change in the control of personal data and increases harmonisation across Europe. It’s all about better data management requirements for businesses and additional new rights for people to access the information companies hold about them.
In the UK, the Information Commissioners’ Office (ICO) are the ones responsible for enforcing this area and will be offering the ‘better, safer environment’ carrot as well as wielding the ‘bigger fine’ stick.
So how should we view this new set of requirements for organisations in both the public and private sector?
The regulation was published back in May 2016, so the contents shouldn’t come as a surprise to any of us. But inevitably, like homework when we were kids, we all tend to leave it to the last minute and suddenly find the deadline looming. The aim of GDPR is to better protect us as individuals, that is laudable and something we should all be pleased about. But it does put more burdens on any organisation holding data on employees, suppliers, customers and prospective customers. That probably means just about every business and public sector organisation.
Does Brexit let UK organisations off the hook? Interestingly GDPR was published by EU regulators and was heavily influenced by the UK input. The resulting UK Act will be very closely based on GDPR and won’t be impacted by Brexit.
So here’s a few key things to focus on, firstly let’s look at the extra rights for the individual.
Increased individual’s rights:
- Everyone will have the right to request and receive confirmation that an organisation has actually got some information about them, full details of this information and also ‘supplementary’ information (no one is quite sure yet what this last category includes). The existing ‘Subject Access Request’ £10 charge is being scrapped and organisations will have one month to provide individuals with details of what is held on them free of charge, so we may see a big increase in requests.
- This right of access extends to decisions taken on an individual based on data held on them, whether that decision is a manual or automated one. This may cover credit scoring decisions, loan applications, medical treatments or any one of a range of decisions and conclusions applied to an individual. This will open up the right of challenge and underlines the importance of preparation and ensuring that such decisions can be made transparent and justifiable.
- Individuals will have the right to request corrections to their personal data and also, subject to some exceptions, erasure.
Compliance:
Perhaps this reflects all those recent high profile breaches of user account details reluctantly admitted by some of the biggest names.
- You need to have policies and procedures documented and in place. Organisations need to document why people's information is being collected and processed, descriptions of the information that's held, how long it's being kept for and descriptions of technical security measures in place.
- There is a significant requirement to obtain consent to process data in some situations. Where your organisation relies on consent to lawfully use a person's information, then you have to clearly explain to them that what they are doing is giving consent. Even more than this, there has to be a positive opt-in, in other words simply ticking a box on a screen is no longer enough, you have to take it a step further and get them to separately confirm opt-in and then keep a record of that confirmation.
- Having an old email list you’ve used for years isn’t going to let you off the hook here. You will need to re-confirm with recipients if you haven’t already got a record of having done so in the past. This is a significant change, and at least one big B2C business (Wetherspoon) has already decided not to bother and to delete its entire email database.
- Admit it fast – if anything takes place which might reasonably be described as the destruction, loss, alteration, unauthorised disclosure of, or access to people's data, then there’s a requirement to report it to the ICO with 72 hours and perhaps more importantly to then tell the people impacted.
Where to find out more?
Here are some additional resources you might find useful:
Wired.co.uk view
UK Department for Digital, Culture, Media & Sport: factsheets
ICO UK’s website www.ico.org.uk
ICO’s 12 step preparation guide
The complete European General Data Protection Regulation (GDPR)
The draft UK Data Protection Bill in all its glory
Next steps:
Firstly this is an area which does require real attention from the Board of Directors, partly because of the legal compliance requirements, but more importantly because the underlying issues are increasingly critical. You may never have been hacked, may never have been targeted and may think the whole thing is a waste of time and needless bureaucracy. But unfortunately the risk of very publically losing peoples’ personal data is real, and the potential scale of personal loss, business loss and reputational damage is of nightmarish proportions.
So, there are two distinct areas requiring attention.
Firstly you will need to appoint a “Data Protection Officer” and your own internal IT team needs to be on top of it. This isn’t too complicated and with a bit of effort they can access a wealth of online resources (see above) to understand the requirements and then report back to the organisation’s senior management or Board of Directors. The report will identify where you hold data, areas of compliance, holes and required actions. The ICO have issued a 12 step checklist which is a helpful starting point
The second area is your SaaS (or similar) solution providers. This is less well covered by the ICO checklist and there is unfortunately a general under-emphasis on this part of the landscape. This might for example be in my own area of learning management systems, where our Agylia platform is already compliant, or in a myriad of other systems ranging from online CRM, accountancy, work planning systems, medical records – the list goes on. Each of these will have already developed an approach to GDPR and you will need to identify each one that you use, contact them and get confirmation that they are compliant. It may be a good opportunity to better understand their security arrangements generally and satisfy yourselves that they are up to scratch.
If you need advice and help in how to roll out digital training and support on GDPR and other cyber security areas, then Agylia can work with you to design and create programmes relevant to your own organisation and we will be pleased to talk further.