The new General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act 1998. It is recommended that all clients start preparations for the change now, as it is likely these rules will require significant investment by all organisations. With penalties for breaches of up to 20 million euros, it is imperative that the new regulation is adhered to and understood.
Points 1 to 8 below provide a quick snapshot of what to consider, helping you prepare for the changes:
- Awareness – make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and ensure the resources are in place to carry out the required preparation and implementation.
- Responsibility – decide who is responsible for data protection within your organisation. If you don’t already have one, you will need to consider appointing a Data Protection Officer.
- Legalities – determine the legal reason for processing data. Once the regulation is in force, it will be more difficult to rely on consent to process data, so you will need to consider whether there is another legitimate business interest you can rely on. Where consent is to be relied on, it is likely that you will need to change how you obtain such consent and what information is provided beforehand.
- Update – check policies and template letters. You should start reviewing your existing policies to make sure that they cover all of the new information required by the regulation. This includes things such as; confirming the reason relied on for processing data, how data will be protected, and how long it is kept for. Data subjects also need to be informed about their right to complain and you may need to update or redraft retention and destruction policies.
- Breaches – you also need a robust procedure for handling and reporting breaches within the short timeframes imposed by the new regulation, as well as ensuring that your data subject access procedure conforms to the new 30-day response period. You will also no longer be able to request a £10 processing fee.
- Security – with changing technology, now is a good time to make sure your security systems are sufficiently secure and, if in doubt, put new measures in place.
- International – If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority.
- Children – If your organisation offers services directly to children, you must communicate privacy information in a clear plain way that a child will understand. If your organisation offers ‘information society services’ directly to children, you must have systems in place to verify individuals’ ages and to obtain parental or guardian consent where required.
The GDPR will apply to ‘personal data’, meaning information that relates to an identifiable person. The definition is broad and, in the employment context, will include information in an employee’s personnel file, information held on HR systems, information contained in emails and information obtained through employee monitoring.
The GDPR regulates the ‘processing’ of personal data, including the collection, storage, use, alteration, disclosure and destruction of information. Those that collect personal data are ‘data controllers’ and individuals to whom the data relates are ‘data subjects’. It will also apply to the processing of personal data of individuals who are not employees, for example, contractors and job applicants. If your company processes personal data outside of the employment relationship then the regulation applies there also.
Once you have conducted an initial audit and risk assessment, the next step is to develop and implement a GDPR compliance programme. It is important that decision makers and key people in your organisation are aware of the changes in the law.
- Clearly set out your approach to the new GDPR legislation and assign responsibilities for managing the change
- Assess and identify areas that could cause compliance problems
- Plan for a more general awareness campaign across your organisation to educate staff on the changes to the current legislation and highlight how these changes will impact them.
This is only a snapshot of the change information. For more information, please contact your HR Consultancy team.
ISO27001 and the new General Data Protection Regulation
How can ISO 27001 help your organisation achieve compliance with GDPR?
ISO 27001 Information Security Management is the broadest and most well-known business framework for managing information–related risk. The standard outlines specific requirements and controls to ensure that your business responds to regulatory requirements, such as EU GDPR, as well as ensuring that the appropriate controls are in place to manage risks to your business information, including personal records.
If the scope of your ISO 27001 certification identifies personal data as an information security asset, much of the EU GDPR requirements will be covered.
Many of the GDPR requirements are also requirements of ISO 27001, so the two are well aligned. Examples of these requirements include:
- Responsibility and accountability
- Gaining consent for holding and using data
- Appointing a Data Protection Officer
- Recording and investigating data breaches
Why does a company need the ISO 27001 standard?
Many organisations mistakenly believe that ISO 27001 is an I.T. standard that is all about computers and systems,= but it’s about the security of information. Another misunderstanding is that security is all about confidentiality. While a common response is ‘we don’t have any secret information’, it can be surprising how much information you do have – such as client bank details, payroll and other personal information relating to staff, and general customer information including personal data held and used for marketing purposes. The standard also talks about availability and integrity of data, and requires organisations to consider business continuity and how the risk of data breaches is considered and managed.
How does ISO 27001 help companies become more secure?
ISO 27001 helps organisations make intelligent, informed choices regarding information assets and the systems, people and procedures that manage them. The standard is underpinned by a risk management approach – assisting you to understand the information that you hold and use, working out what can go wrong and how likely such an event is. This helps you decide on control measures you must have in place to:
- Remain compliant with legislation
- Minimise the risk of security breaches
- Provide assurance to your customers and other stakeholders that you do everything you can to keep their data secure.
If you are interested in how ISO 27001 can help you with your compliance with GDPR, contact Alcumus ISOQAR on 0161 660 8513.