The implementation of the new General Data Protection Regulations (GDPR) seems to be one of the greatest causes of anxiety across all business sectors. Whilst there will be a change in emphasis, in some areas, on how data is collected and managed, it is important to remember that we already have extensive data protection regulations in place.
The implementation of GDPR should be an opportunity to assess how fit for purpose your existing data protection processes are rather than a reason to start again from scratch. Unfortunately, a delay in solid guidance has led to a sense of panic and a cottage industry in GDPR compliance. If you have any concerns about GDPR, and how it impacts your business, then you should look at the Information Commissioners Office (ICO) document on Preparing for GDPR and the Getting Ready for GDPR Checklist. There is a lot of information out there on GDPR, but you should always focus on the ICO as the people with final responsibility for implementing the regulations.
In relation to data protection itself, there are three basic principles that you should ensure are embedded in your organisation.
1) You know what data you collect from people
2) You can justify why you collect it
3) You have obtained consent to collect it and store it
These principles are at the heart of historic data protection legislation and this doesn’t change with GDPR. GDPR provides a framework for being clearer on how you manage each of those three principles. This means that there are a number of domains in which it expects you to assess your business.
Do you have adequate governance in place to manage the collection and storing of data? This spans from policies about data storage and data breach to accountable individuals in an organisation. If you are collecting data, then you should already be aware of whether or not you are Data Controller or Data Processor. You should also be aware of how you manage the data you hold. Writing your processes down, and lines of accountability are the first part of creating a policy around data protection.
Are you clear on what data you collect, who you collect it from and who you share it with? A is a process that organisations should carry out routinely but if this is something you haven’t considered before, don’t worry. Auditing data is a relatively simple process. List all the data types you collect, in all forms, find out the method of collecting it, why you are doing it and whether that it shared with anyone else. This provides a basis for beginning to assess if you have a lawful basis for collecting data.
Can you set out why you are collecting data from people? For each data element, you collect you should be able to set out the purpose of collecting data, whether you have consent to collect that data and whether you have permission to store that data.
Consent is the area that might require you to make changes in your processes. There is already a legal requirement to seek consent to store data but GDPR will set a higher standard of consent. The ICO has created a useful page for considering how you manage consent. The most important change requires you to ensure that when people provide consent to collect and store data that consent is informed. You need to ensure that reasons for data collection are not hidden in terms of conditions and that consent isn’t gained through pre-ticked boxes. Consent, or lack of, should also not be a barrier to receiving a service.
The change in emphasis on how organisations react to individuals is probably the most significant change in GDPR. The changes to how organisations must respond to subject access requests create much shorter timescales for organisations to identify what data they hold on individuals. Additionally, you need to be clear on how you will allow individuals to remove their data, edit their data or take their data for their own use. This change of emphasis shouldn’t change the way you manage data and ensure its security, but it should clarify that the data you hold belongs to the individual it relates to.
The implementation of GDPR is an opportunity to be more open about why you collect data from the people you interact with, what you do with that data and how you secure that data. The process of evaluating the data you keep also creates an opportunity to identify data that can create a greater social benefit through being released as open data. GDPR shouldn’t be a reason to panic and destroy your data collection systems.
Contributed by Darren Wright Inside Outcomes CIC