Europe’s data protection reform process is finally complete, with the new General Data Protection Regulation given a number (2016/679) and more importantly, a commencement date. It will apply from 25 May 2018. Assuming that the UK has not by then left the EU, it will affect almost all UK-based organisations in one way or another - and for the first time organisations outside the EU processing data relating to EU citizens. The text is essentially the same as that published last month (although I have to confess that I have not checked every word).
Two years seems a long time but Christopher Graham (into his last weeks as Information Commissioner) made clear at the Westminster eForum last week that businesses should be taking steps now to ensure they are ready, particularly given the threat of significant fines for non-compliance and the requirement to comply from the day the new law comes into force. He wouldn’t be drawn on the sorts of organisation most likely to be in the firing line for enforcement activity.
There was consensus among the panel and audience that now is the time to update systems and processes to ensure that they are up to scratch. One member of the audience of data protection practitioners said “now is our time”.
The ICO has previously commented
“Many of the principles in the new legislation are much the same as those in the current law, but there are important new elements, and some things will need to be done differently. It will enhance the data protection rights of individuals and make organisations more accountable. The legislation will have a two year transition period for organisations to make those changes.”
and has published a useful 12-step guide “Preparing for the General Data Protection Regulation – 12 steps to take now”
In summary, these are:
- Raising awareness among key decision-makers
- Documenting the personal data you hold, and if necessary carrying out an information audit
- Reviewing your privacy notices and planning any necessary changes
- Checking your procedures to be able to implement individuals’ rights such as data deletion
- Updating your subject access request procedures
- Reviewing the legal basis for your data processing activities
- Reviewing and updating your consent procedures
- Planning for special rules concerning children
- Ensuring you can meet the new requirements around data breaches
- Implementing privacy by design, where necessary by carrying out data protection impact assessments
- Designating a data protection officer and defining their role
- Where appropriate, making an international assessment – which data supervisor will regulate you?