Published: 25 January 2017
Area of Law: Data Protection, Database Theft, Intellectual Property
5 steps to data protection compliance
The explosion of data in the last few years has been unprecedented. IBM believes that every day we create 2.5 quintillion bytes of data and that 90% of the data in the world today has been created in the last two years alone!
With the increased use of mobile devices we are shopping online, posting to social media and browsing the internet like never before and consequently leaving our personal information with multiple companies all over the world. As consumers we trust companies with our personal data with the assumption they are looking after it correctly and complying with the data protection laws.
In 2016 the Information Commissioners Office (ICO) took action against over 100 companies for breaching the Data Protection Act. It is also likely that the numbers will increase with the introduction of the European-wide General Data Protection Regulations (GDPR) coming into force in May 2018. In a society when trust and integrity are an important part of a consumer’s purchasing decisions, organisations need to take note, not just of the penalties that can be imposed (which have been significantly increased under the GDPR) but also of the damage to reputation that can result from a failure to protect privacy.
Here we outline five steps anyone holding personal information needs to follow to ensure they are not breaching the GDPR.
1. Understand the personal data you hold and what it is used for
Organisations need to ensure they understand what personal data they hold and the processing they undertake with it. Whether the data relates to staff, customers or suppliers - it's still personal data. The GDPR expects organisations only to collect the data that they need for the processing they are carrying out and not to hold if for longer than they need.
2. Understand the legal basis on which you collect personal information
Data can only be collected and processed if it is lawful to do so under the GDPR. The bases for processing under GDPR are similar to those under the DPA however the requirement for consent as the basis of processing has been significantly tightened up and where you are relying on consent, you can no longer pre-tick or automatically opt people in; they have to actively give you consent. You also need to tell people the legal basis of the processing when you collect their data. Public authorities can no longer rely on the legitimate business interest basis in the carrying out of their tasks.
3. Review your processes for dealing with subject access requests
The GDPR requires additional information to be provided when responding to a subject access request, which includes identifying retention periods and the basis of processing. Organisations will no longer be entitled to charge for servicing subject access requests, which could lead to a significant increase in the number of requests made.
4. Update your procedures and policies
Organisations need to ensure that their procedures and policies are compliant with the additional rights given to individuals and with the obligations imposed on them as data controllers. The GDPR expects personal data only to be made available to individuals within an organisation who have a need to access this data. The GDPR also gives individuals the right to be forgotten over and above the general obligation on organisations not to keep personal data for longer than is necessary.
5. Consider employing a Data Protection Officer
You need to appoint a Data Protection Officer to be responsible for your data protection if you deal with large amounts of personal or sensitive data. However if you’re a public body, it is mandatory.
The GDPR requires organisations not just to be compliant but to be able to demonstrate compliance. With heavier fines and a greater public understanding of their rights under the new regime organisations have no excuses not to be prepared for the new regime.