GDPR advice from Lee Newell Managing Partner Bardells LLP
When the Data Protection Act 1998 (“the Act”) was introduced, the internet was in its infancy. Mobile telephones made calls and sent basic text messages and ‘connecting’ to the internet was a physical task requiring cables and a dial-up connection.
Fast forward to 2018 and the world is a very different place. We live in a highly ‘connected’ world where our ‘personal data’ is an extremely valuable commodity. One only has to think about Facebook, LinkedIn and other social media to see how freely we part with our personal information – personal photographs, paying bills, booking cabs and restaurants and so much more.
For us to perform what has become ‘every day’ tasks; we are frequently required to pass over our personal data such as name, address, email address and telephone number. For most people, this information is given freely with little thought for any adverse consequences. In some cases, the personal data we hand over is even more sensitive such as medical information, passport and national insurance particulars and even bank and credit card details.
On 25 May 2018, the General Data Protection Regulations came into force and brought with it an expectation that, in return for receiving ‘personal data’, organisations of all sizes and in all sectors (public, private and not-for-profit), will have to comply with more stringent legislation and ensure that what we know as ‘data protection’ pervades the entire organisation. Protecting data will become dynamic and something that is ‘business as usual’.
Accountability is just one of the data protection principles and if the fines do not focus the mind (up to 4% of turnover or twenty million Euros) then adverse publicity should. One only has to look at TSB Bank (although not a data protection issue) to see just how fast adverse news travels and the potentially devastating consequences it can have for an otherwise sound business.
What do you need to be doing?
So, what do you need to be doing ? Since the onus is now firmly on the organisation, it will be essential that you can demonstrate your compliance with GDPR. An audit of your current approach to data protection is likely to be essential because it should help to demonstrate your transition.
Your audit should include an assessment of what data you hold and where it originated, how the original consent for you to have it was given and what the person consented to. You will also need to understand who you might share that data with and why. Just because you hold personal data (which might not always be in a database) does not mean the original ‘consent’ permitted you to use it for all the activities which your organisation undertakes. From 25 May 2018, organisations have to demonstrate they have ‘legitimate purpose’ to hold personal data.
You will also need to consider how long you will hold that data for as well as when, and how often, to refresh consent. There really is not a ‘one-size’ fits all approach so you will need to think about the relationship that exists between you and your client or supplier. If you share personal data with other people think about why you do this and whether you have consent as well as how that third party will handle that data. Similarly, if another organisation ‘processes’ personal data for you, e.g. a payroll provider, you will need to review those contracts that exist between you and that supplier.
The above examples are intended to highlight a few of the matters you will need to demonstrate. However, one of the best places to start is awareness. It is vital to make sure that everyone in the organisation understands GDPR and his or her part in ensuring compliance. Make sure that everyone is familiar with your data protection policies and make sure that they are fit for GDPR and purpose.
Making sure you have appropriate security measures in place is also very important because GDPR imposes a new obligation for you to record and, where necessary, report data breaches. Similarly, if your audit identifies processes which are likely to result in there being a high risk to an individuals’ interests this will also need to be addressed.
Do you need to appoint a Data Protection Officer? If you are in the public sector then this is a certainty but, if not, having a dedicated person who is responsible for data protection may demonstrate how seriously your organisation takes this important business matter. That person could also be charged with making sure the organisation adheres to relevant codes and signs up to schemes.
As mentioned above, GDPR compliance is dynamic which means accountability for it is an ongoing. If you view GDPR as data protection for the 21st Century Data where citizens live, work and play in a networked world you will appreciate the importance of ensuring your organisation complies with its obligations and this means continually reviewing and, where necessary, updating the arrangements you put in place.
Lee Newell is one of the founders and a Partner at Bardells LLP
Central Court, 25 Southampton Buildings, London, WC2A 1AL