7 May 2018
Shedding Light on #GDPR
Seascape, Beatrice Bright
Photo credit: Doncaster Museum Service
With less than 3 weeks to go until #GDPR becomes law across Europe, we wanted to take some steam out of the scare-mongering and shed some light on some of the more ridiculous myths we have been hearing about the forth coming changes to the data protection legislation, and return again to our top tips to help you move forward.
1. GDPR is brand new
No its not. In the UK, we have the Data Protection Act 1998. The General Data Protection Regulation (GDPR) is an uplift on existing data protection laws. In fact, the current laws are not damp squibs at all. The Information Commissioner (ICO), was able to secure a search warrant to enter the premises of Cambridge Analytica with further action pending under the current data protection legislation. Companies who have broken the existing data protection laws are already being named and shamed on the ICO website. GDPR harmonises data protection laws across the EEA (European Economic Area) which will make it much easier to regulate bad business practices across the Digital Single Market, through a more joined up approach between European regulatory bodies and increased fines.
2. GDPR can be solved easily with new IT systems and/or consent forms
No it cannot. Its much more intrinsic than that. Apart from increasing accountability, transparency and the rights of data subjects, the aim of GDPR is to encourage a “privacy by design” culture. This means that every single organisation who is processing personal data, will need to consider what they are doing, why and on what basis before their new projects begin. They need to document their decisions, ensure that all staff know what their responsibilities are, develop suitable policies, create procedures for dealing with data breaches and subjects access requests (SARs) etc. This is means that GDPR is all about changing behaviours, leading to international cultural change to ensure that commoditisation of personal data without consent as well as poor business practices will not be tolerated.
3. Everyone must be compliant by 25 May
This is probably impossible for several reasons:
a. The Data Protection Bill 2018 is still going through parliamentary procedure and as of the time of writing, it still has to enter the Report Stage in the House of Commons. Certain aspects have still to be confirmed such as the age of consent for online use, the exemptions and whether public funded organisations, such as National and Local Authority funded museums and libraries will be defined as “hybrids” in order to benefit from the legitimate interests grounds for processing.
b. Compliance with the new data protection legislation is a journey, according to the ICO. This means that the end destination will be full compliance, but to be honest, the Data Protection Act 1998 has been so badly ignored, that there is a considerable journey ahead for most organisations. ICO want you to demonstrate that you have started it, and their 12 Step Guide is a very good way to begin, but this is about systemic cultural change, which takes time.
Top Tip #1: Don’t be scare-mongered about GDPR. It’s a step up from current data protection laws, and there is no magic bullet. The Data Protection Act 2018 is about embedding long term systematic “privacy by design” processes and policies within organisations. There is no ICT system that solves it!
Top Tip #2: You can bring together your external compliance obligations in one place. For example, your privacy notice should clearly state why you are collecting personal data etc. It can be published online with your copyright notice which explains what your position is on copyright, and stating what users to your website can do with your content.
Top Tip #3: Data Protection responsibilities can be linked to broader safe guarding responsibilities towards children, vulnerable adults etc
Top Tip #4: Data Protection laws apply to print and digital forms of personal data. Know what you have, why and where it is stored. Decide if you should keep it or not, and if so, make sure you plan how you keep it safe.
Top Tip #5: If you can’t find a legal justification for processing personal data, delete or destroy. Otherwise it’s your risk.
Top Tip #6: The new Data Protection laws are a great opportunity to spring clean your personal data and/or reconnect with people with whom the personal data you hold on them belongs.
Top Tip #7: Make sure you understand your obligations as a Data Controller when others are processing your personal data on your behalf. Always ensure you use robust contractual agreements between you and your data processors.
Top Tip #8: Think holistically about how you can embed “Privacy by Design” into everything you do. Your existing policies like social media, ICT & HR can usefully be amended to cover your Data Protection obligations.
Top Tip #9: Embed clear guidance about data protection into staff awareness & engagement. its everyone’s responsibility.
Top Tip #10: Map out your next steps to be complaint with the Data Protection Act 2018 in an action plan comprised of short, medium and long term actions and who will take them forward. You won’t be able to do everything at once, but you can start your journey sensibly whilst committing to long-term organisational change.
(c) Naomi Korn, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is (c) Doncaster Museum Service, sourced from Art UK, and available under a Creative Commons Attribution Licence.