There is now less than a year to comply with the European Union’s General Data Protection Regulation. Yesterday was the one-year mark.
Some might think the UK will be exempt from GDPR because it has formally notified the EU of the British public’s referendum decision to exit the 28-nation trading and political bloc, with the process now known as “Brexit”.
However, there are at least two problems with that: first, there’s still a chance that the UK will reverse its request to leave, especially if the Labour Party wins the general election next month; and second, the Conservative UK government has said that its post-EU rules and regulations will mirror those of the EU, meaning GDPR rules will still apply.
The main motivation for complying with GDPR rules would be the potentially ruinous fines a company would have to pay if it was found to be in breach.
The EU has said it would impose fines of up to 5 per cent of a company’s annual global income if it failed to comply with GDPR and broke some of its rules.
The main rules are designed to protect users’ personal data, and where there is a security breach in which, for example, user account details have been stolen, companies must notify all users within a few days.
Other crucial aspects include the requirement to hold European users’ data inside Europe, which has led quite a few companies to set up data centres on the continent.
The UK Information Commissioner’s Office has published a document advising companies on how to prepare for GDPR. The “12 steps to take now” that the ICO recommends are:
- Awareness – key decision makers should know the potential impact of GDP
- Data – document what personal data you hold
- Rights – ensure your procedures cover all the rights individuals have
- Access – plan how to handle access requests
- Process – identify the lawful basis for processing activity
- Consent – review how you manage consent
- Children – review systems for verify individuals’ ages
- Breaches – put in place the right procedures to detect, report and investigate data breaches
- Protection – work out when and how to implement the ICO’s code of practice
- Officers – designate someone to be the data protection officer
- International – determine your lead data protection supervisory authority
The ICO has also published an online self-assessment GDPR checklist which may be a useful starting point for some companies.
The UK government-appointed information commissioner, Elizabeth Dunham, says Brexit and GDPR mean her term is characterised by “interesting times”, a reference to an old Chinese idiom.
The general election complicates things even more, suggests Dunham, in a clear sign that there is no final regulatory structure yet decided as a mirror of GDPR.
“But while the exact form of the legislation may vary the route, the direction of travel for privacy and data rights is still the same,” says Dunham. “Consumers aren’t concerned about the details of the GDPR, or what legislation might follow it. They’re asking questions such as: ‘Is my data properly protected? Who’s holding organisations to account? What privacy rights do I have?’”
Dunham yesterday launched the ICO’s Information Rights Strategic Plan. “We have interesting times ahead, but this document will be the map that guides us,” she says.