- August 10, 2017
- Posted by: jonnyhough
- Category: All News
The GDPR will come into force in the UK from 25th May 2018 and replace the Data Protection Act (DPA) 1998. The changes have been prompted by technology advances such as biometrics, the changing information landscape and the drive to give individuals more control over their personal data.
The Information Commissioner’s Office (ICO) is responsible for the GDPR and there is a wealth of information available on this subject on their website. The ICO’s key objective is to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals. It is worth noting that the ICO make it clear that the proposals are ‘a living document’ and they are working to expand key areas.
Whilst the focus of the ICO is to promote change through good communication and promoting the concept that respect, privacy and dignity for individuals can have a positive business impact, it can also take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. Currently the ICO has the power to impose a monetary penalty on a data controller of up to £500,000. From May 2018, there will be a two-tier penalty regime. What are considered serious data breaches may attract maximum fines of 20 million Euros or 4 per cent of global turnover, whereas other failures will be subject to fines of up to 10 million Euros or 2% of turnover, whichever is the greater.
The ICO can and do prosecute when a breach is identified – the outcome being published on their website. Recent cases suggest organisations, directors and employees can be fined.
There are therefore financial, organisational and reputational risks relating to non-compliance. Additionally, any breach could also result in non-compliance with the Homes and Communities Agency’s Regulatory Standards which requires ‘adherence to all relevant law’.
The principles of the GDPR are similar to those in the DPA, with added detail at certain points. However, there is a new accountability requirement which requires the controller (i.e. the organisation) to be responsible for, and able to, demonstrate compliance with the principles.
There are also detailed provisions which promote explicit accountability and governance, aimed at minimising the risk of breaches and upholding the protection of personal data. Practically, this is likely to mean amendments to existing policies and procedures for organisations particularly around tenancy management and HR, requiring a close working relationship with IT around data security.
1. Ensure you comply with existing DPA requirements
Check that existing data protection policies and procedures are fit for purpose and compliant with existing requirements. For example:
- Ensure procedures are in place to detect, report and investigate a personal data breach;
- Review internal HR policies, rent management, lettings, tenancy and estate management policies and procedures to ensure compliance, including procedures for handling subject access requests (SARs);
- Review any data sharing arrangements with external organisations to ensure they are compliant;
- Ensure data protection is included in staff induction and training;
- Ensure DP and SARs feature in any internal audit programmes;
- Ensure DP is referenced on the risk register.
2. Develop awareness and take action to respond to the new GDPR requirements
Familiarise yourself with the GDPR requirements and take steps to ensure all relevant policies and practices are reviewed, and amended to ensure compliance by 25th May 2018. These should also be properly communicated to staff and residents, with relevant training delivered by said date.
This should include:
- Ensuring the Board is fully aware of the new requirements. The ICO have issued a useful video.
- Arrangements are in place to properly manage a request from an individual seeking to exercise their GDPR rights, including how to demonstrably delete personal data or provide data electronically and in a commonly used format (data portability);
- Tightening up SARs processing, noting the new one-month time limit to respond (rather than 40 calendar days) and that charging will be removed, which may encourage more requests;
- Reviewing consent arrangements which must a be positive indication of agreement to data processing and therefore must include an audit trail of verifiable consent, including how and when consent was given;
- Ensure there is a good record keeping system of consents to demonstrate compliance, if required;
- familiarisation with the guidance the ICO has produced on Data Protection Impact Assessments (DPIAs) considering how and when to implement them, also considering the implications of privacy by design;
- Make sure that staff understand what constitutes a data breach, particularly that this is more than a loss of personal data;
- In light of the tight timescales for reporting a DP breach to the ICO -within 72 hours – it is important to have robust breach detection, investigation and internal reporting procedures in place from May 2018 onwards;
- Monitor the changes in the GDPR guidance as it evolves.
Campbell Tickell is intending to issue further updates on specific aspects of the GDPR over the coming months. If your organisation would like help in making sure you are ready for GDPR, contact Senior Consultant, Stephen Bull on firstname.lastname@example.org or telephone: 020 8830 6777.