Get set for GDPR or pay 4% of worldwide revenue
Despite Brexit, the UK Government has declared that we will still be members of the European Union in 2018 when the General Data Protection Regulation (GDPR) comes into being, and that the UK will comply. GDPR applies to companies operating in the EU, but also ensures protection of personal data for EU citizens wherever their data is processed. With the expansion of the digital economy, the willingness of individuals to divulge more of their personal data online, and companies’ responsibility to keep that data secure, it makes good sense to follow the principles of GDPR. And there is also the added incentive of the imposition of fines of up to 4% of a company’s turnover for non-compliance!
Organisational Aspects
Many companies already have a Data Protection Officer (DPO) to manage their compliance activities and to ensure data protection polices, processes and procedures are in place. GDPR implementation is a natural extension of this.
The DPO will have responsibility for developing the overall strategy and deployment approach to GDPR, and will have to ensure the update of policy documents which are impacted by GDPR, such as the data retention policy. Business processes will also need to be updated by the DPO, such as the management of customer requests for electronic copies of their data.
But there will be many other key people in a company who will need to be made aware of the principles of GDPR and their responsibilities. And there are likely to be ongoing programmes and projects involving customer data which need to receive advice and guidance, and to build GDPR compliance tasks into their plans. For example, customers have the right to request deletion of their data so what plans have been put in place to manage backups and archives?
The DPO will need to work with business subject matter experts, and the legal, IT and marketing functions, which is why a programme approach will be the most effective.
Data
In terms of data, an understanding of the categories of individuals and categories of personal data the organisation holds is a good starting point. Do you know where your customer and employee information is held? Which current programmes and projects are impacted? An information map showing where the data is, where it has come from, where it is sent to, and what happens to it along the way will help with planning and implementation. And the information map will make it easier to show compliance, along with any relevant codes of conduct and certifications.
Data will need to be held on the purposes and uses of personal data, where it has come from and who it is being shared with, as well as any additional processing such as profiling. Whether consents are used, or the ‘legal basis of processing’, details will need to be recorded of how the decisions have been reached for each type of processing.