09 Feb 2018 GDPR compliance for small businesses and arts organisations
Have you started to prepare for the impending implementation of the General Data Protection Regulation throughout the EU on May 25 2018? Did you know that at the same time, a new Data Protection Act will come into force (which will essentially mirror the GDPR but with some extra provisions which will apply specifically in the UK), and a new set of electronic marketing regulations will also come into force (which, for instance, will govern the use of personal data in the context of marketing email lists)?
There is still a great deal of uncertainty about how all of these pieces of legislation will work together, and the answers will not be known of course until 25 May, which has in part contributed to the febrile atmosphere surrounding the subject of GDPR implementation. There has been a certain amount of scare-mongering too, concerning the subject of fines in particular. In our opinion, over-anxiety is misplaced; we believe that it should be sufficient for an organisation to be able to demonstrate by May 25 2018 that it has given full consideration to the GDPR and has started to put systems in place.
The Information Commissioner’s Office (which has oversight of interpretation and enforcement of data protection legislation in the UK), is a good source of information on how to prepare for compliance with the new regulations and legislation, and the ICO’s website is a good first port of call for those organisations that are still burying their heads in the sand about GDPR, which can be found here www.ico.org.uk
It is worth noting at this point that:
- much of the GDPR is aimed at the monolithic organisations that routinely use automated systems to process massive quantities of personal data; a black and white interpretation of the regulation is therefore not appropriate for small businesses and arts organisations, who should take a more naunced approach;
- the Information Commissioner, Elizabeth Denham, posts thoroughly reassuring blogs about GDPR compliance from time to time, in the latest of which she is at pains to point out that 25 May is not to be regarded as a cliff edge date (as was the case with 1 January 2000 in relation to Y2K preparations). Compliance with GDPR should rather be viewed as an ongoing responsibility, with organisations being able to show evidence that systems are being put into place by 25 May 2018.
So, what systems might a small business or arts organisation be considering? What should you be doing now?
The GDPR builds on the DPA 1988, so in fact any organisation that has put systems in place already will find that it is largely compliant and can build on what it already has in place.
The main considerations are:
Data Audit – think about all of your organisation’s activities that involve personal data; collecting it, storing it, using it, deleting it, archiving it. Think too about how you do all of those processing activities.
Consent – think about whether or not you needed the consent of the individual to process their personal data in the ways that you have identified. If so, did you obtain their consent in a negative way (for instance, by presenting them with a pre-ticked box) or in a passive way (by assuming their consent by default, and putting the burden on them to refuse consent)? If so, you will have to obtain that consent again by giving a full explanation of what information you are collecting and how you will use it, and you will need to ask individuals to demonstrate consent by opting in with a demonstrably positive choice to give consent. This is the one area of compliance that should ideally be completed before 25 May.
Retention of Data – think about how long you store personal data. Do you have arrangements to delete or archive it once you no longer have a legitimate reason to retain it? If not, think about systems you could put in place to do this.
Data Security – think about how you safely protect personal data from loss or damage, or from being seen by the wrong people (which includes thinking about which staff members should have access, and which not). Think about how to implement systems to ensure protection for the personal data.
Data Breach – think about what you would do in the event of a data breach by your organisation? Do you understand what is meant by data breach? How would you even know that it had occurred? Who should you tell, and how would you know who you should tell? What would you do to prevent it happening again?
Data Accessibility – if an individual decided to exercise their right to ask to see all of their own personal data that you hold, and evidence of all of your processing of that data, would you be able to respond? Would you know what was expected of you, how to respond, and within what time frame? Think about how to put systems in place that are appropriate (for the types of data and processing involved) and reasonably achievable (for your type and size of organisation).
These are some of the main issues, and you will need to study the guidance on the ICO website to understand more about key concepts such as consent, the definition of personal data and data breach.
If that all seems too daunting, or time-consuming, then here are a few of the ways in which VLT LEGAL could assist you : audit of your organisation’s use of personal data and data processing activities; targetted advice on methods of GDPR compliance; bespoke outline compliance action plan for your organisation.
For more information, please contact VLT LEGAL on email@example.com or 07887 810020