Don't Underestimate GDPR!
Most of us are extremely well versed in Data Protection; we all know the reasons we are allowed to process data, we include privacy notices where required and work extremely hard to keep data secure.
But be aware, things are changing!
With the upcoming implementation of the General Data Protection Regulation (GDPR), the
data protection rules we know and ‘love’ will significantly change.
“What about Brexit?”, I hear you ask. Well, remember we won’t have left the EU by the time the regulation comes into force, meaning you must be compliant with GPDR for at least the time it takes for the government to implement replacement domestic regulations. But don’t worry, it’s unlikely that the effort will be wasted. One of the key requirements of the GDPR, as with the 1998 Act, is that data controllers and processors only share data with organisations that work within a country that has equally as stringent data protection laws. The upshot is that the UK is highly unlikely to substantively change the data protection rules following Brexit, or international trade would be significantly damaged.
So, what are the major changes that we need to consider?
There’s a new requirement that data processors must inform data controllers of a breach. You should therefore review all your contracts to ensure the processor has an obligation to report any data breach to you. It’s also best practice to set up reporting for “near misses”, so that you can learn together to prevent actual data breaches.
If a data controller shares inaccurate information with data processors, the data controller has a new obligation to pro-actively inform the data processor that the information was inaccurate. This could have wide-ranging consequences for our industry, both positive and negative, especially when you factor in credit reference agencies.
Privacy notices need to be updated inline with the new requirements.
The rules around subject access requests are significantly changing; in most cases you will be unable to charge a fee (although there are some exceptions, you have 30 days to process the request and you must include certain pieces of information, such as your intended retention periods).
Interestingly, you need to have processes in place to identify and record the legitimate reason you have to process the data that you hold. This is a departure from current domestic legislation and will need to be worked into our policies and procedures. It must be considered how far you go with this obligation - You’ll at least need a clause covering customer data, perhaps one covering different classifications of customer data, and staff data. At the other extreme, perhaps you require a statement for each individual customer? Something to be considered.
There are new rules around gaining customer consent. For example, consent will be deemed improper should it be obtained from a pre-populated tick box. You need to consider how you will gain oversight of what your clients or partners are and have been doing to gain consent, as well reviewing the data you already have on file to ascertain whether the consent is still valid. This decision must be recorded.
A new emphasis is placed on audit trails so the firm can show its actions around specific accounts and decisions.
An updated obligation to inform the ICO within 72 hours where a data breach has occurred which might cause detriment to the data subject. Records must be kept of reasons for the decisions made.
A data protection officer is required to be in place and carries specific responsibilities.
The GDPR requires you to implement a “privacy by design” policy whereby systems and processes are designed with data security and protection in mind from the outset.
And last but by no means least, there is the dreaded “right to be forgotten” - a topic that will no doubt feature in many of the conversations that that DCA’s will be having with their more reluctant customers!
All of the above are subject to the ICO’s increased regulatory powers provided to the ICO, who will be able to fine as a percentage of global turnover rather than a maximum limit of only £500,000.
It really is time to get on board with the changes and there is no better way to start this than by joining us for our GDPR seminar!
Our GDPR seminar is to be held in Leeds - April 2017 at St Georges Centre, LS1 3DL. £200pp lunch included. 9am to 3.30pm.