A new data protection bill is being progressed through Parliament, aligning with the EU’s General Data Protection Regulation (GDPR), which applies from 25 May 2018, and replacing the UK’s Data Protection Act 1998 (DPA). In a digital age in which ever increasing amounts of data are processed, it is important that these changes are made.
The Data Protection Bill’s purpose is to:
Make the UK’s data protection laws fit for the digital age
Empower people to take control of their data
Ensure the UK is prepared for the future after it leaves the EU
It gives data subjects new rights, including the right to judicial remedy against organisations that infringe their rights. Organisations will have to adopt ‘appropriate technical and organisational measures’ to protect personal data and it will be mandatory to report any data breaches.
Designed to be a complete data protection system, the UK’s Data Protection Bill also includes requirements for national security data, law enforcement data and all other general data. There are also a number of agreed modifications to the GDPR – particularly those relating to financial services, academic research and child protection.
Since this new law will necessitate a wide-reaching and significant shift in the way that organisations must protect personal data it is vital that businesses and organisations are supported through the process.
What should you do to prepare now?
With only 6 months before the new Bill becomes law, it is essential to plan how your organisation will comply.
If your business is large or complex business there could be significant budgetary, IT, personnel, governance and communications implications. Leaving preparations to the last minute may make compliance difficult.
1. Make colleagues aware
You will need to involve key people in your organisation and ensure that they know the law is changing and understand what needs to be done to comply with the new regulations.
Since many of the GDPR’s concepts and principles are similar to those in the current DPA, much of your approach to compliance should remain valid under the new law, so this can be a starting point. Be aware though that new elements and significant enhancements will mean you have to do some things for the first time and some things differently.
Ask colleagues to identify areas that could cause compliance problems, set a timescale for tasks to be completed and allocate each task to relevant personnel or departments.
2. Review the information you hold
The new Bill requires you to maintain records of your processing activities, so take a look at the data you hold. Can you identify where it came from? Do you share it with any other organisation? Is the data accurate?
If the personal data you have is inaccurate and you have shared this with another party, you will need to advise the other party of the inaccuracy.
You may need to implement an information audit across the whole organisation or within particular business areas.
In order to comply with the Bill’s accountability principle you will also need to have effective data protection policies and procedures in place.
3. Communicating privacy information
Under the existing DPA you are required to give people information about your identity and how you intend to use their information, usually through a privacy notice.
After 25 May 2018 you will also need to explain your lawful basis for processing the data and for how long you will retain the data. In addition you will need to advise people of their right to complain to the ICO (Information Commissioner’s Office) if they believe there is a problem with the way you are handling their data.
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to object;
the right not to be subject to automated decision-making, including profiling.
There is also a new right to data portability, which only applies:
to personal data an individual has provided to a controller;
where the processing is based on the individual’s consent or for the performance of a contract;
when processing is carried out by automated means.
Check your procedures and work out what process you would use to a request to delete personal data. Who would make the decision about deletion and would the data be easy to locate and delete within your systems? Do you need to make any changes to your procedures or the way the data is structured?
Also ensure your employees realise they have duty of care to protect data. You could introduce an addendum to their employment contracts, which they will need to sign to acknowledge their understanding of the legislation.
5. Subject access requests
Major changes to requests to access the data you hold on an individual will be introduced:
Whereas you can currently charge £10 to an individual who asks for his personal data, in future you will be required to provide the information free of charge.
There will only be a month to comply with the request instead of 40 days. This may have logistical implications.
However, you can refuse or charge for requests that are unfounded or excessive, but you must tell the individual why and advise them of their right to complain and to a judicial remedy, within a month of the request.
You may need to update your procedures and plan how you will handle requests to take account of the new rules. Consider whether it is feasible/desirable to develop systems to allow individuals to access their information easily online.
6. Lawful basis for processing personal data
Can you explain your lawful basis for processing personal data? The bases are generally the same as those in the DPA, so should be straightforward to identify.
Be aware that if the basis is by consent only, it gives people a stronger right to have their data deleted.
You will need to document the lawful bases in order to comply with the new law and explain your lawful reason for processing personal data on your privacy notice.
7. Managing consent
How do you currently seek, record and manage consent?
In future there must be a positive opt-in, rather than inference from inactivity, silence or pre-ticked boxes. You will need to introduce a tick box to opt-in as well as having simple ways for people to withdraw consent.
The ICO has produced detailed guidance on consent, with a checklist to help review your practices.
If your organisation offers online services to children and collects their personal data you will need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
Consent may be given by children 16 years and over, though this may be lowered to 13 in the UK. You will need to be able to verify consent and your privacy notice must be written in language that children will understand.
9. Data breaches
Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
The new legislation introduces a duty on all organisations to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Assess the types of personal data you hold and document where you would be required to notify the ICO or affected individuals if a breach occurred. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Check your disaster recovery policy to ensure its procedures meet the new regulations.
10. Data Protection Officers
Decide who will take responsibility for data protection compliance within your organisation and where the role fits within the company structure. The individual must have the knowledge, support and authority to carry out the role effectively. If this is not possible, you must outsource the responsibility to an external data protection advisor.
Some organisations will be required to formally designate a Data Protection Officer (DPO) and further information may be found on the ICO website.
11. International compliance
If your company is a subsidiary of another organisation, with a head office outside the EU, you will be responsible for ensuring you comply with the new regulations. You will also be responsible for ensuring any 3rd party vendors, such as MailChimp and Constant Contact
, whose headquarters are outside the EU, comply.
Both these organisations are keen to continue to allow customers to legally transfer EU personal data, so are updating their systems. Updated versions of their data processing agreements will be released.
Check that other 3rd party companies that you use are carrying out similar processes and updates and ask for a copy of their agreements.