Keep calm and GDPR

At the time of writing, there are 100 days to go until the General Data Protection Regulation (GDPR) becomes enforceable legislation across Europe on 25 May 2018. The message from the Information Commissioners Offices on the Isle of Man, in the UK, and further afield is “Don’t panic – this isn’t Y2K all over again”.  That said, to some degree we all have been scurrying around behind the scenes, making sure that our policies, business practices and systems are compliant.

Current Data Protection

The current data protection legislation is over twenty years old and the use of data and the internet has changed so much over that time.  When the existing legislation was introduced in the mid-nineties, Facebook, Twitter, Snapchat etc. didn’t exist, Amazon was only one year old, and no one was able to browse the web from their mobile phone.  

During this time the volume of data and how it is consumed has changed dramatically, and as a result, the legislation that governs how businesses use personal data needed to be updated to ensure that the laws remained current and fit for purpose. 

We live in an age where data has no borders, so why shouldn’t we all have to play by the same rules.  Through the introduction of GDPR we now have a single legislative framework, rather than being restricted to the laws of a given jurisdiction.

The concept enshrined within the GDPR is that data belongs to the individual and not the organisation holding the data, and this must be embraced.  As businesses we no longer get to decide how someone’s data should be used and who we share it with, unless the data subject has explicitly asked us to do so.  

Only the data subject has the right to decide what happens to their personal data and the requirements and controls introduced in GDPR, will prevent companies processing data without their permission.  

The increased accountability, transparency, risk management and data security requirements, that are introduced by the GDPR, will enhance how businesses protect and manage the data that they are trusted with.

There are several key themes within GDPR, namely:

• Accuracy – Information needs to be accurate, valid, up to date and fit for purpose and businesses will need to think about their processes and policies for maintaining the data that they process and store.
• Transparency – Businesses are required to be honest and open about who they are and what they are going to do with the personal data that they collect.  All privacy notices that businesses issue e.g. provided on their website, need to be reviewed to make sure that they comply.
• Accountability – This is the overriding principle throughout GDPR and it requires businesses to demonstrate that they comply with the principles.  It states explicitly that this is the responsibility of the business.
• Security – Businesses need to ensure that they are taking all reasonable measures to guard against data theft, loss or other breaches.  Clear evidence must be shown that diligent measures have been taken to address security of data.
• Responsibility – Businesses are now required to be proactive and systematic in their ongoing approach to data protection.  These responsibilities are not a ‘one-off’ scenario but require ongoing effort.  Further to this, if a business fulfils certain pre-requisites in relation to their processing activities they will also need to appoint a Data Protection Officer to oversee their obligations and responsibilities.

To ensure that PDMS meet the requirements of the GDPR, we have analysed our business, looking out for potential gaps in our compliance responsibilities. Through our ongoing business practices and the requirements of our existing certifications, we were already compliant on many levels. 

However, there were still elements that we needed to work on, including the following: 

• Undertaking a gap analysis on all our policies, procedures, work instructions and records;
• Reviewing and improving our systems to ensure that the impacts of GDPR have been considered;
• Integrating the GDPR requirements into our existing management systems and compliance framework;
• Ensuring that our suppliers share our commitment and diligence regarding their compliance with GDPR;
• Undertaking a review of our processing contracts through an accredited law firm;
• Providing training for every member of staff, including two who have since achieved the GDPR Practitioner Certificate, which is endorsed by the Centre for Information Rights (CIR);

As this work draws to an end we are confident that our systems and operations will be fully compliant with the GDPR before its enactment in May 2018.

If you are reading this and haven’t yet fully engaged with your GDPR preparations, then all is not lost.  Although preparing for GDPR can seem like a huge mountain to climb, especially when we are all busy getting on with our day jobs, there are lots of resources around to provide guidance.   Here are a few that we have found useful:

•         Information Commissioner (Isle of Man) - https://www.inforights.im/
•         Information Commissioner’s Office (UK) - https://ico.org.uk/
•         Data Protection Commissioner (Ireland) - https://www.dataprotection.ie and http://gdprandyou.ie/
•         Article 29 Working Party (EU Responsibility for Data Protection) - http://ec.europa.eu/newsroom/article29/news-overview.cfm

Hopefully when the dust settles around the GDPR, as a business community, we will all be able to agree that we have been left with a set of legal requirements that promote a positive culture of openness and accountability about personal data.  Ultimately, the requirements of GDPR are a positive thing and something to be embraced not feared or ignored.