The snappily-titled EU General Data Protection Regulations (GDPR) are the biggest shake-up in how organisations deal with personal information in two decades. However, most organisations are only just starting to take on board the impact this will have. Regardless of Brexit, the new regulations will become effective in May 2018. Is your organisation ready?
Changing times, changing attitudes
Our current data protection laws were drafted in the early 1990’s, when dial-up Internet had only just become commercially available and social media was yet to take off. The ways in which both organisations and individuals view and use personal information has changed dramatically in that time and it still evolving.
The GDPR aims to change attitudes more still. Running through the new legislation is the clear sense that organisations should view themselves not as owners of personal data but as custodians. There is a clear emphasis on taking the view that people who allow you to have their data are entrusting you and that you need to repay that trust by dealing with it lawfully, transparently and responsibly. Because of this, much of the emphasis in the new regulations is on accountability rather than technical changes.
Be seen to be a trustworthy custodian
Looking after people’s personal data is not just a matter of compliance with the law. There is also an opportunity to present your organisation as reliable and trustworthy. In these days where reputation and relationships can be more valuable than tangible assets, proving your credentials has a direct effect on your bottom line. Of course, getting it badly wrong would also have an impact. Indeed, it can literally make or break a business.
What does it take to be a good custodian?
- Know what data you hold and why you are holding it
- Decide how long you need to keep data
- Make sure you respect people’s rights
- Take reasonable steps to protect the data in your care; and
- Make sure you document that you have done so
This last point, documentation, is probably the most significant change for smaller organisations. Just like health and safety regulations, this is something that you need to consider in all of your planning and you need to take reasonable steps to mitigate risks. However, this need not be burdensome. In fact, just like health and safety, the key thing is that you consider it and record the fact that you have considered it. If it isn’t recorded somewhere, the regulator will assume it never happened.
There are a number of key decisions you need to take between now and next May. The ICO has released a 12-step plan which guides you through the first of these. The plan can be found here: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf .
Article kindly submitted by Tom Crellin Consultant
For further information and assistance, please contact Tom Crellin, Consultant www.tomcrellin.co.uk