New data protection regulation means even more stringent rules
As featured in Third Force News, Val Surgenor says the first step is to visit the Information Commissioner’s Office website to self-assess whether your organisation needs to be registered or not.
Data controllers will find themselves subject to more stringent rules under the new EU General Data Protection Regulation (GDPR), which is due to come into force in May 2018.
To remind ourselves, the term “data controller” is used to describe any entity that determines the purposes and manner of data processing. This of course captures a huge number of organisations and companies operating in the United Kingdom – including many organisations operating in the third sector. In fact, most businesses will be data controllers because of the client/donor and employee personal data they hold and collect!
Most data controllers should be registered with the Information Commissioner’s Office (ICO), so if on reading the above you have some concerns, can I suggest a quick visit to the ICO website and use their very useful online tool to self assess whether your organisation needs to be registered or not.
Current law dictates data controllers bear the brunt of data protection compliance and have to evidence their compliance with the legal requirements (for example, making sure those third party fundraising organisations you utilise maintain adequate organisational security measures and this is recorded), and the position under the GDPR sees no relaxation of this; indeed you, as a data controller, will find that your organisation is subject to more stringent rules under the new regime.
Most noteworthy include:
- a general requirement for greater transparency towards data subjects all the way from the content of privacy notices to the manner of processing itself, such as being more forthcoming about the rights of data subjects;
- increased requirements for consent to data processing, particularly in relation to sensitive data;
- being more mindful of the data subject’s age and potentially obtaining consent to the processing of a child’s data from an adult;
- tighter timelines to respond to data subject access requests;
- carrying out privacy impact assessments and appointing data protection officers;
- notifying data breaches to the ICO and also to individuals in the case of severe breaches;
- complying with the new rights that individuals have under the GDPR, including the right to be forgotten, the right to restricted processing, the right to data portability and the right to object to automated decision-making and profiling;
- the obligation to pseudonymise or encrypt personal data as an additional security measure in certain circumstances; and
- maintaining records of data processing activities, such as the purposes of the processing and details of third parties to whom the data has been or will be disclosed (although, thankfully for data controllers, the requirement to register their data processing activities with the ICO will disappear).
What should be flagged up, though, is the requirement to implement a data protection policy, where this is proportionate to the controller’s data processing activities. This is part of the overarching requirement to ensure that the data controller’s technical and organisational measures are on par with the extent and risks of the relevant data processing activities as well as the rights and freedoms of individuals. For example, where data processing activities are extensive, a data protection policy should be put in place (and of course enforced) to ensure the processing will be considered lawful under the GDPR.
A data protection policy helps to ensure that your employees are aware of the requirements you are faced with as a data controller and will provide practical tips (such as dos and don’ts) when it comes to their daily tasks. A data protection policy can also be incorporated into your agreements with data processors to ensure they are required to comply with the same standards that apply within your organisation.
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts’ team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.