EU data rules still rule by Natasha Rawley, Archive Document Data Storage
This blog post was also featured as a column in the July 2016 issue of Legal Practice Management magazine. To read the issue in full, download LPM magazine.
As I sit at my desk at File Queen HQ to write this column, the news that the UK has voted yes to Brexit has hit. I know there’s a huge amount of uncertainty in our country at the moment and over the last few days I have received an influx of emails asking whether firms should still be preparing for the General Data Protection Regulation.
On cue, the Information Commissioner’s Office (ICO) released this statement: “If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the single market on equal terms we would have to prove adequacy.” In other words, UK data protection standards would have to be equivalent to the EU’s GDPR framework starting in 2018.
So there you have it LPM readers, the ICO are still ‘guns blazing’ to ensure the UK meets GDPR standards. Using their wonderful GDPR chart (which you can find here: www.archivestorage.net/news/gdpr) I’d like to run through an overview of the listed 12 steps from the ICO.
The first step is awareness – this is a warning to get managing and quality partners informed and on-board with the GDPR as soon as possible.
For step two, you need to know what information you hold. Now is the time to make an information asset register.
Third step, make sure you’re communicating privacy information. Revamp your current privacy notices and data protection policy, for in-house and client communication.
Knowing what individuals’ rights are is the fourth step. Here we need to concentrate on the right to be forgotten – do you have a checklist or process for deleting data, and is there a record of data being, and checked for, deletion?
For step five, know how to deal with subject access requests. How do you currently handle, and how quickly does your firm respond to, requests from an individual about the information you’re storing on them? Remember that there are new timescales for this under the GDPR.
Step six concerns the legal basis for processing personal data. How are you processing personal data and have you confirmed your legal basis for carrying this out? Is there a written policy?
The seventh step covers consent. How do you obtain or store consent from individuals to hold or use their data?
The ICO’s eighth step – children. You need to have a system that verifies individuals’ ages, and a consent checklist for those requiring guardian consent for data processing. And for step nine, look at data breaches. What are your potential data breaches and do you have a policy and checklist framework to deal with one?
Step 10 involves data protection by design and data protection impact assessments. The ICO says: “You should familiarise yourself now with the guidance the ICO has produced on privacy impact assessment and work out how and when to implement them in your organisation.”
Bringing on a data protection officer is step 11. Bottom line, you need one, so either assign the role to someone or use a freelance data protection ofcer. And finally, for step 12 the ICO advises: “If you have international clients you need to know which data protection supervisory authority you come under,” (for the UK, it’s the ICO).
I know, it’s a lot to take in. But in my next two columns I’ll be taking a selection of the above ‘to dos’ and helping you implement them for your firm in an actionable form.