Bars need to start preparing for the arrival of the General Data Protection Regulation (GDPR) in May, writes Paula Tighe, information governance director at leading law firm Wright Hassall
Businesses must get ready for the arrival of the General Data Protection Regulation (GDPR) and allow themselves enough time to fully understand the changes. Key decision makers should start pushing through the necessary procedures and policies that can help achieve compliance.
Wherever your data comes from, if it is used, recorded, or processed in the EU, you must comply with GDPR. The UK’s decision to leave the EU had no effect on the new law.
Raise awareness and register it
The first change you should make is to start recording the compliance process, taking note of every change your organisation makes.
Also known as the “Data Register”, this record will have information about the data you currently hold, including where it originated from and why it’s being processed. These changes require you to adopt new effective procedures to make sure everything runs smoothly.
Compliance is more about how and why you do things, rather than necessarily stopping you doing them. Therefore, it is important you review current procedures for capturing, recording and processing personal data, making changes where necessary.
Review your existing digital and hard copy format privacy notices and policies. Are they concise, written in clear language, easy to understand and easily found?
Finally, assess how you communicate these notices and policies with data subjects, ensuring you explain your reason for processing the data, how long it’s retained and how individuals can complain to the Information Commissioner’s Office.
Rights of the individual
GDPR will give individuals greater control over their personal data, including the right to request it is deleted at any time. Therefore, employers must show they have processes in place to deal with any such request, detailing reasons for processing the data and how it will be used.
Perhaps one of the key drivers for the changes is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.
Having transparent procedures will mitigate many potential future problems with the regulator, regardless of complaints or investigations. If your organisation already handles data carefully under the current data protection laws, the transition to GDPR should not be a cause for concern.
If an individual makes a subject access request to see what data of theirs you currently hold, you are obliged to carry out this request within a month. If you think the request has no merit, you can refuse, but you must tell them why and how they can complain to the regulator.
Never assume consent
Handling consent for the capture and use of personal data for more than just contact is a tricky area. Individuals must give clear consent for their data to be used and be able to revoke consent at any time. If you want to use their data differently, you must obtain a new consent.
How you attempt to obtain or confirm consent, will help mitigate any future problems at the hands of the regulator.
Keep reviewing and recording
Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA).
These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen and should form part of your ongoing processes. Ensure you have a robust process for making the assessments and then record it, along with the outcome.
Make someone responsible and keep it up
If you routinely monitor or process personal data on a large scale, you should appoint a data protection officer who understands the regulations and how best to drive your data privacy processes.
It does not have to be someone within your organisation – perhaps appoint an appropriate individual on a part-time or consultancy basis.
It’s not just electronically-held data that can pose a problem; you also need to consider written records, which are also covered by the regulations. Ensure all your staff are trained on the correct handling of personal data.
Record how you handle each step of the process in your Data Register. In the event of a complaint or a data breach, it will be those organisations unable to demonstrate what they did to assess risk and mitigate it that will suffer.
Organisations that can prove they have made an effort to comply, even if they are not fully compliant with every aspect of the GDPR from the word go, will do better.