2 months left to get Data Protection legal!
It feels like Spring is still a long way off right now, as arctic blasts sweep the UK and people are left stranded at home (incidentally, a timely reminder to see our blog on Disaster Recovery planning from last year!)
While the climate is increasingly unpredictable, one behemoth that is certainly rolling into our lives in May is the General Data Protection Regulation. This month we discuss how it will impact us all and what steps you need to ensure your organisation has covered off as a minimum.
25th May 2018 = Deadline Day
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
Brexit does not get us off the hook in the UK; it will become legally enforceable here and punishable by large fines from 25th May onwards, so if you have not at least reviewed your existing policies for handling staff and customer / donor information yet, you need to do so very quickly.
Why is this happening?
The main driver behind this new framework is our right to privacy. The EU wants to give citizens more visibility and control over the personal information that organisations hold about them.
This follows several high-profile battles waged by the EU on tech companies over recent years around how they handle our data. There have been fines for Google over search result competition rules, Uber for data breaches, and Microsoft over the lack of web browser options presented to customers, to name a few.
Under GDPR, a framework of rules and policies are set out that all organisations that hold personal information must demonstrate they adhere to, giving their customers access to said information and demonstrating robust and responsible diligence in how that data is stored and processed.
This is huge! I don’t have time or budget to do all this!?
At first glance GDPR does look big and scary, and of course there are lots of businesses queuing up to sell you thousands of pounds worth of consultancy to get compliant. The framework caters for any size of organisation so sounds complex, but for most small to medium size businesses a lot of it may not apply.
The key to compliance is not spending months reading every single word of the huge Regulation document, but instead it’s about demonstrating that you take data protection seriously and act responsibly when handling sensitive info.
As always, start small and break the job into chunks. By following this 12 step Checklist, you can divide up the tasks and delegate jobs into teams:
- Awareness: your Staff, Board of Directors and/or Chief Executive need to be briefed on the upcoming deadline and acknowledge time & effort is going to be needed to align to the standards
- Analysis: what personal information do you hold? Staff, Customers, Donors, Sponsor should all be mapped out. If possible, marked with the data’s location – on site server, in the cloud or a 3rd party
- Review: what do your existing data protection policies say? Do you have a process to follow in the event of a data breach? Does your information security policy cover internal (staff) and external (customer) data types and where they are stored, how they are protected / encrypted?
- Rights: do you have a process and policy on data retention? How long do you hold personal information for and what checks are in place to delete data older than that period?
- Access: if a customer or ex-employee wants their personal data deleted, how would you carry that out and in what timeframe? How would you prove it had been deleted?
- Rationale: what lawful reason do you have to hold and store personal information? Why do you hold this?
- Age: do you hold personal information on people under 18 years of age? Do you record age at all? If you hold information on children, you must have consent from a parent / guardian or local authority
- Security: what policy do you have, and actions would you take in the event of a security breach. This can be a big topic and may require IT expertise but the business side needs document too – how do staff report a possibly security breach? Is regular training held with staff to keep awareness high?
- Risk Assessment: having an ethos of “Data Protection by Design” is now a legal requirement; privacy and security of information should be at the foundation of your data policy, as well as an impact assessment of the types of data & risks associated with a loss, along with their mitigation plans
- Data Protection Officers: a register of nominated staff with a remit on data protection, just like a fire or first aid warden, these are go-to people who colleagues can reach out to
- International: if you work in multiple countries, a lead country should be nominated and act as your data protection “HQ” or Centre of Excellence
Despite what it may sound like online and in the press, GDPR need not be feared as an expensive and dauting beast. Chances are you will already be doing a lot of what is set out in the standards, and revisiting and refreshing those policies and procedures is a sensible thing to do – regardless of what the law says.
The most important part of the work you do is to demonstrate responsibility with the data you hold. Your organisation should be instilling the principles of good data protection as set out in the regulation, in all your staff.
Following the 12 checklist steps above will go a long way to demonstrating you have done your utmost to comply to the new GDPR requirements. The updated policies and procedures you create should be ratified by your Board of Trustees and signed by the most senior person in your organisation.
As always, we are here to help too. We can share document templates and discuss how any cloud services you may use – with or without us – comply with the standard. Our free guides on Cloud Security and IT Strategy may help you identify any gaps in your current setup and plan to improve those areas too.
Above all, you should document in meeting minutes with your senior staff that everyone is aware of what the GDPR is, the 25th May deadline, and what work is underway to tick off each area of the standard, to ensure you don’t get caught out.
Non-profit support on GDPR: https://knowhownonprofit.org/organisation/operations/dataprotection
NCVO training and resources on GDPR: https://www.ncvo.org.uk/search?q=GDPR&f=2
Information Commission support resources: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
ICO 12 step checklist: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf