GDPR: What you need to know – part 3
More pointers to help you comply by 25 May
General Data Protection Regulation (GDPR) will come into force on 25 May 2018. In an increasingly digital world, the new regulations are being introduced to better protect our personal data.
If your business holds the data of staff, customers, suppliers and other business contacts, then you’ll be affected.
What is personal data
By the way, personal data is information which can identify a living person, e.g. a name, a photo, an email address or social media posts. When you think about it, that’s a lot of information that you might be holding.
There’s been a breach
It sounds like something in a Bond film but a data breach is a real possibility. As a business owner, you can be held responsible for a breach and potentially hit with a fine.
If you fail to report the breach within 72 hours of becoming aware of it, there could be an additional fine.
New GDPR rules mean that all organisations will need to report certain types of data breach, such as loss or theft, to the ICO.
If the data breach could risk an individual being discriminated against, suffering financial loss, having their reputation damaged, or any other significant economic or social disadvantage, the ICO must be told.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify the individual in question, in most cases.
In part 1, we talked about data mapping exercises. This is an important thing to do to prepare for GDPR. Mapping will show you the types of personal data you hold, so you can document where the ICO or affected individuals would need to be told if there was a data breach.
Keeping things private
A Privacy Impact Assessment, or PIA,can help your business to identify and reduce the privacy risks of a project. It’s always been good practice to carry out PIAs, but GDPR will make them mandatory in certain situations.
When do I need to do a Privacy Impact Assessment (PIA)?
You won’t need to carry out a PIA for all projects but it’s more likely when data is sensitive or when its uses are more intrusive. However, most projects will benefit from a review of howpersonal data will be used.
The level of detail can be decided by the business and will depend on various factors, including the time and resources available to the project team. If you decide there’s no need for a PIA, you should still keep a record of that decision. You never know, you mightneed it.
The ICO’s guide gives more information on when a PIA is needed and how to complete one.
In large organisations it might be necessary to have a designated Data Protection Officer (DPO), due to the amount of data being held. Other organisations that might need a DPO are:
- public authorities, such as the Bank of England
- an organisation that carries outregular monitoring of individuals on a large scale, or
- an organisation that carries out the large-scale processing of special categories of data, such as health records.
If you do business abroad
If you do business in more than one EU member state, you will need to document who your lead data protection supervisory authority is. In the UK it’s the ICO.
The lead authority is where your main establishment is. Most likely this will be where your head office is, unless data is processed or managed elsewhere.
That’s all folks
Although it can seem daunting, there is a common-sense approach we can all adopt. If you suffered a data breach, you would need to show that your business has policies and procedures in place. The ICO would also want to see that consent is being taken to collect data and then hold that data.
We’ll be sharing more advice with you as we near the 25 May 2018 deadline, so stay tuned.
Don’t forget, THP also needs to be fully compliant too. If you’d like to know how we’re working through this, speak to your local THP contact or office. Maybe you’ve got some ideas we could borrow too.