The GDPR topic was discussed at yesterday’s Conference on GDPR [https://training.comsuregroup.com/event-registration/?ee=281] and over 100 delegates listened to x4 expert speakers talking about what is coming up in May 2018 – the speaker list was
- Emma Martins, The Information Commissioner of Jersey & Guernsey
- Edward Drummond, Partner, Bedell Cristin
- Andrei Voinescu, KPMG
- Mark Saville, Data2Vault
- Ricky Magalhaes, Logicalis
SEE THE COMSURE GALLERY – http://www.comsuregroup.com/gdpr-event/
BY WAY OF BACK GROUND
- Jersey and Guernsey is adopting the European General Data Protection Regulation (GDPR).
- GDPR is due to be enforced from May 2018, and the UK’s exit from the EU does not mean you do not need to comply.
- If you provide a service within the EU or the UK that involves processing the personal data of EU citizens, then you will be legally obliged to comply.
- The GDPR is the biggest change to happen to data protection in more than 20 years since the UK’s Data Protection Act and will enhance the protection of individual’s data.
- Non-compliance comes with severe penalties and companies could face fines for up to €20m or 4% of annual global turnover – whichever is greatest.
- The major changes to any organisation gathering, holding, processing or gathering personal data, even something as simple as an email address, it that both internal and external partners are equally responsible. So if you use 3rd parties in any form, then you need to be sure that they are also compliant.
- The legal framework and clauses contained in the regulations and acts are very clear on what constitutes personal data, and very stringent on reporting breaches, it is no longer legal to brush breaches under the carpet and hopes no one notices.
WHAT NEXT – MORE CPD TRAINING TO DISCUSS THE GDPR ACTION LIST
- Delegates left the conference with a sense that there was more action needed and as Mathew Beale (the event MC) said it was like studying for an exam, the test is 12 months away (May 2018), and everyone needs to be prepared for the test to pass.
- To assist delegates, Comsure is running 6×1.5hrs follow on surgeries. The surgeries will be designed to discuss and advice on what steps can be taken and should be done to be ready.
THESE STEPS WILL INCLUDE:
- Get buy in from your key business personnel and ensure that they are aware of the new legislation and what impact it is likely to have on the business.
- Document what personal data you currently hold, what its original purpose was and whom you have shared it with.
- If you hold inaccurate data, this needs to be rectified, and if you have shared this data with other organisations, you will need to inform them so they can amend their records too.
- Review your privacy notices and make any necessary changes to comply with GDPR. Currently, you are required to give people information about how you intend to use their information, but under GDPR you will need to explain the legal basis for processing the data, the length of retention and who the data may be shared with. This needs to be presented in a concise, easy to understand format.
- Ensure you have a clear policy stating the period that data will be held and a procedure for how that data will be deleted at the end of that period.
- Individuals have the right to access the data that you hold about them and to have information corrected or erased (the right to be forgotten), and the GDPR has imposed shorter timeframes for making this information available to data subjects and has also removed the charge to individuals for making this request. It is, therefore, essential that you have a procedure in place to deal with subject access requests promptly.
- Make sure you understand the legal basis for processing the data you collect, you will need to be able to explain this in your privacy notice. Data subjects will have greater rights to having their data deleted if you use consent as the legal basis.
- Consent needs to be a positive indication of agreement to the processing of personal data. Review how you currently obtain and record consent and ensure that the system you have in place will be GDPR compliant. It will no longer be acceptable for consent to be inferred from silence or pre-ticked boxes.
- Make sure you have procedures in place to detect, report and investigate a personal data breach.
- Data Protection Impact Assessments (DPIA’s) – assesses which processes in your business it will be necessary to conduct a DPIA and decide how these will be managed and who will be responsible for conducting them. Here is a link to a useful guide from the ICO – ICO Guidance for PIAs.
- If required, you should designate a Data Protection Officer (DPO) or someone to take responsibility for the data protection compliance within your organisation. The GDPR does not require all organisations to appoint a designated DPO, but in all cases, it is important that someone has ownership and responsibility for managing your data protection compliance. It will be important this person has the full support from the business to do this effectively. This role can be in-house or contracted to an external consultant.
- If you are an international business, you need to determine which data protection supervisory authority you come under. If you are not sure, then the ICO will be able to offer you some guidance.
It should be noted that many of these things could be time consuming and may require you to implement training programmes, change procedures and policies. For many organisations, these steps will be necessary, and to meet the deadline you will need help – so it’s better to start NOW
WATCH THIS SPACE
Details of the surgeries will be issued soon….WATCH THIS SPACE