The Data Protection Act 1998 is due to be replaced by the EU General Data Protection Regulation (GDPR) on 25th May 2018.
This will be a major change in the Data Protection Law. It will apply to all persons/organisations worldwide (when personal data of EU Citizens is processed) when providing a service (whether a professional person or body to a client or a company to a customer).
The effects of the changes will be far-reaching, and will be an evolving process, although everyone affected must be able to demonstrate that they are GDPR compliant by having in place data collection, data storage, data loss and deletion systems by no later than 25th May 2018 or face the real risk of a heavy fine from the Information Commissioner’s Office (ICO) or any other EU Data Enforcement Authority.
Most service providers will need to work closely with their IT Support Team to ensure that all sources of personal information or data about individuals who are data subjects are kept in a central database and are secure and protected against data loss/unauthorised disclosure.
It is essential that all concerned, not only understand the new Rules (which are complex) – this can be done by effective training of management and staff – but that they have in place a clear Information Security Policy (e.g. Data Protection and Data Loss Prevention Policies).
The key factor is for everyone to properly prepare and plan for the 25th May deadline. Compliance will involve having a Data Governance that is clear and comprehensive and will include:-
- A Data Information Asset Register (i.e. data inventory).
- A Central Database (all data held should be reviewed) and a list of all data sources whether, electronic or paper should be prepared.
- A Data Breach Register (to include evidence of any data breach) and have in place a breach notification notice for the ICO in the event of a data loss resulting in a breach.
- A review and revision of Employee Contracts of Employment and Staff Handbooks.
- A review and revision of Third Party Supplier Contracts (to contain the minimum GDPR requirements).
- A GDPR Staff Training Register (to record all training given to staff on Data Protection).
- An Information Security Policy (to include the ICO Code of Conduct on privacy notices) that will minimise the risk of data loss (do risk assessments) through the use of appropriate technology and information/communication systems.
- Websites to display Website Use Policy and Privacy Notice.
- Put in place Privacy Impact Assessments (PIA), where applicable.
- Appoint a Data Protection Officer (DPO), where mandatory.
- Allocate sufficient financial resources and manpower to ensure compliance with the GDPR requirements.
Although a lot of useful guidance can be obtained from the ICO Website, there are also other sources, including legal advice.