Dave Evans gives us the do’s and don’ts of the incoming legislation.
Are you ready for the GDPR? It’s one of the biggest shake-ups to the way we collect, store and process personal and sensitive data, designed to harmonise EU-wide data protection laws and offer greater protection for individuals.
You’ll find plenty of information out there about what the GDPR is, what you need to know, and how it affects training companies and L&D departments like yours – but given how complex the regulations actually are, it’s understandable that many myths and misconceptions have arisen.
So, to make sure you’re fully GDPR-compliant by 25 May 25 2018, let’s bust some myths.
It’s just the same as the Data Protection Act
While it’s true that the GDPR is another form of data protection legislation, it’s a lot more in-depth and intricate than that.
For starters, rather than mirroring existing regulations, it strengthens many of the existing laws surrounding data protection – with additional responsibilities for all data processors and controllers; beefed up rights for individuals; and increased fines for companies that seriously break the law, up to £20 million or 4% of global turnover. In other words, this is a big deal.
Brexit will change everything
The GDPR is an EU directive, so once Britain leaves the European Union in 2019, that’s the end of it, right? Nope. Britain is fully committed to implementing and upholding the GDPR, and has stated that any post-Brexit legislation will closely mirror the EU’s own. Essentially, then, Brexit changes nothing – you’ll still need to comply with the law.
This only affects European companies
It doesn’t matter whether your business is based in Canterbury, Canberra or Chicago, if you process the data of EU citizens or British subjects, you must conform to the General Data Protection Regulations. And you’ll be entirely responsible for ensuring that happens.
However, the GDPR does offer a golden opportunity to protect the data of all learners, wherever they are in the world – which is best practice in an age where online privacy and hacking threats dominate the cyber-conversation.
I’ve got ages ‘til the deadline
G-Day is May 25th 2018. But that doesn’t mean you should sit back and await the deadline – now is the perfect time to begin preparations. The GDPR will force you to assess every data-based process your business undertakes.
That’s going to take time, dedication and effort, so the more time you spend preparing and investing, the better. A few steps to get you started include:
- Audit your current processes and track your data flow
- Update your website privacy policy stating your lawful basis for collecting and processing data
- Obtain ‘explicit consent’ for any sign-ups and subscribers
- Appoint a GDPR guru to help and advise others within your training organisation
We’ve never been hacked so data breaches don’t worry us
With the heightened awareness of cyber-criminality, the most obvious type of data breach is online hacking. But that’s only one extreme example. According to the ICO, a data breach covers all ‘unauthorised or unlawful processing…accidental loss, destruction or damage.’
So, just because you’ve never been hacked doesn’t mean you’re not at risk of data breaches. Indeed, most breaches occur when proper processes aren’t put in place and followed by a business. In keeping with increased individual protections, data breaches form a core part of the GDPR. So, if you suffer a breach, you’ll need to take swift action.
- Report it to the relevant authority within 72 hours (in the UK, that’s the Information Commissioner’s Office)
- Maintain and show internal records that demonstrate your GDPR compliance
- In some extreme cases, where a breach directly threatens an individual – for instance, if the breach could lead to identity theft – you’ll have to alert the individual involved too.
It probably won’t affect me because…
Let’s stop right there. Administrator. Marketer. Third-party data processor. Whatever role you play in your department, if you process data, then you have increased responsibilities and liabilities. That means, as a ‘processor’, you will be held legally responsible for the security, accuracy and maintenance of all personal data you process, as well as any data breaches that occur on your watch.
This is a significant shift from the current data protection laws, which typically hold the company, or ‘controller’, solely responsible for any data breaches. Meanwhile, the GDPR rules that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the principles.’
Once it’s done, it’s done
Ok, so you’re confident that your training company or L&D department is fully GDPR-compliant. All the correct processes are in place; all employees are properly trained on their rights, risks and responsibilities; all information is accurate and up-to-date. But the work doesn’t stop there. Continued compliance relies on on-going commitment. And that means…
Undertaking Data Protection Impact Assessments
Data Protection Impact Assessments (DPIA) enable your company to recognise and resolve any data processing issues before they become problems. And they’re particularly useful should you experience a data breach. DPIAs should be carried out whenever new technologies are implemented into your business or when data processing presents a ‘high risk’.
Introducing ‘privacy by design’
Under the Data Protection Act, privacy by design wasn’t a legal obligation; the GDPR changes that. Privacy by design is an approach that, unsurprisingly, promotes privacy and data protection from the beginning of all projects. The ICO state that ‘privacy by design’ should be implemented when…
- building new IT systems for storing or accessing personal data;
- developing legislation, policy or strategies that have privacy implications;
- embarking on a data sharing initiative; or
- using data for new purposes
Maintaining internal records
As your company expands, you may find that you become legally obliged to maintain internal records. These records are designed ‘to show that you have considered and integrated data protection into your processing activities.’
Under the GDPR, larger companies – those employing 250+ staff – must keep additional internal records, while smaller businesses must maintain records relating to ‘high risk’ data processing.
About the author
Dave Evans is managing director of accessplanit.