Key GDPR Questions for Every Business to Answer Now Part 3
In this series of reviews of the General Data Protection Regulation (GDPR) due to come into force in May 2018, I have left the biggest area until last. The most significant changes can be seen to be accountability and governance.
For both data controllers and processors accountability and governance need to be comprehensive but proportionate. Each is accountable for ensuring that all personal data is held securely at all times and that full policies and procedures are in place. While larger organisations need to invest more time in preparing those policies; every organisation needs to have allocated reasonable effort in doing so.
How do I protect data?
Firstly one of the easiest ways to protect something is to minimise its size. This might be termed privacy by design. This means simplistically collect only the data you need. Such an approach may minimise the severity of any breach caused. It is also good business practice to only ask for the information you need to avoid appearing intrusive.
The second step is to undertake a data protection impact assessment to assess the robustness of technological solutions and likeliness of creating a high risk to the rights of individuals. In other words why do you need the data and how are you protecting it.
Protection here is not only against the expected devilishness of a hacker, but also the unthinkingness of staff. How many films have you seen where information is downloaded from a computer when the staff has just stepped away? Or stories of laptops and USBs left on trains/buses/taxis.
What is personal data under GDPR?
The definition of personal data is now wider. It applies to electronic and also to manual data within certain criteria. Moreover it brings pseudonymised data into scope. This raises the bar on security and encryption of data.
The definition is also broadened to include items such as IP addresses. Again this is something that may not automatically be seen as being personal. But it is a means of electronically linking behaviour and through data mining techniques can be exploited in real time. Share lab has recently attempted to map Facebook’s reach to demonstrate this.
Any breach must be reported within 72 hours to the ICO if risk to rights of individual. A breach is destruction, loss, alteration, disclosure or access to personal data.
So lost your phone with its address book and access to email and your clients are consumers or sole traders then probably a breach? Left your laptop unprotected without a password when you step away for a moment, possibly a breach? And don’t think of not reporting it as that is only likely to make any fine go higher.
Do I need a Data Protection Officer?
For those who are not public bodies or employ fewer than 250, there is no requirement for a Data Protection Officer for GDPR.
But realistically a fresh pair of eyes would flag up potential issues as well as demonstrating good governance. Such a person would need the right to challenge any and all practices. And good practice would suggest the responses are recorded.
The interpretation of GDPR is evolving. In the UK that interpretation is led by the Information Commissioner’s Office which offers a range of handy briefing documents on this issue.
The clear message for all UK organisations regardless of size is to act now in order to create and comply with best practice well in advance of next May.
Waiting until next spring is too late as the changes are bound to affect the way you conduct your business and its data. Acting now enables sensible thought through action rather than a last minute knee-jerk to avoid a fine.
- Key GDPR Questions for Every Business to Answer Now Part 2
- Marketing or Promotion Fluff