By now, you will probably have heard through the news, the media or your service providers that today marks the one-year milestone to the arrival into force of the General Data Protection Regulation (GDPR).
This is likely to have elicited a number of responses, from “The wha’?”, to “Bring it on, we’re ready!”. The response from most organisations falls somewhere in between, given that many of us are in the process of preparing for this arrival date (25th May, 2018), or at least starting to think about it seriously.
What’s in a date?
There is nothing magical about today’s milestone – but human nature being what it is, we like to be able to put our obligations and commitments in context. We informed many of you that January 10th marked the 500-day milestone to this date, but the general response was: that’s a big number, come back to us when it is closer! It was 400 days on April 20th, 365 days from today, and if Google Calendar is to be believed, you can wait until Valentine’s Day, 2018, which will mark 100 days out from the big day (we don’t recommend this – we can think of far better things to be doing on Valentine’s.)
It should be remembered that, unlike previous deployments of DP legislation, there will be no ‘grace period’ from May 2018 onwards – in fact, we are in the ‘grace period’ now – the legislation was published in April 2016, and organisations were told quite clearly at that time that they had two years in which to prepare. From today, that timeline has been halved.
How to use the time available?
The other big question we get from our clients – where do we even start?
The Office of the DP Commissioner has provided a helpful checklist and graphic illustrating some areas of data management for consideration:
The GDPR and You
The UK’s Information Commissioner (ICO) and other EU Authorities have issued similar guidelines. For our part, at Sytorus we have been working with several organisations to plan their activities and training over the coming months.
How to use the coming year?
As with any plan, you have to start somewhere, so, for what it’s worth, here are some considerations:
Read the legislation – or at least, get some advice on the key changes that are coming down the track – some of them will apply to your organisation, and therein lies the core of your preparation plans. Happily, some of the changes will not apply, and you can stop worrying about those elements straight away! (For example, the obligation to create a record of your data processing activities only applies, in most circumstances, to organisations with more than 250 staff. Similarly, the obligation to get parental approval before processing the data of children under 16 will only apply to organisations offering social media accounts, etc.).
Understand your data – have a look at your data assets, both electronic and paper. Why do you have the data? How long have you had it? What is being done with it? Who can access it? Do you actually need it? How much is it costing you to store, to secure, to access, to keep up-to-date?
Make some constructive decisions – once you have a sense of your data assets, you will be better able to make some key decisions, all the while preparing for the GDPR.
Review of third-party contracts – the new Regulation requires that certain clauses are included in all contracts with your third-party data service providers – the coming year is bound to include a renewal data for such contracts, at which time the new clauses can be proposed, negotiated and added to the contracts (and if those contracts don’t currently exist, this would be a really good time to put them in place!!)’
Train your staff – as we have said before, the vast majority of your data risk lies in the activities of your staff, so the better they understand their obligations and responsibilities, the less risk you will be carrying. Take action on GDPR training.
Get rid of the burden – once you have had a thorough look at your data assets, it will become clear that certain data needs to be kept for a variety of legal or operational reasons, but also that quite a bit of legacy data can be removed and destroyed, thereby reducing your risk profile even further.
Document your data management processes – unless you fall below the threshold of having 250 staff, there will be an obligation on all organisations to map out their data management activities, based on topics and headers provided in the Regulation – what processing takes place, by whom, with what categories of data, and for what purpose(s), etc. These Data Processing Logs need to be in place by May 2018. You might be surprised by the number of processes that are being conducted as a daily activity within the organisation, and about which staff have become either ignorant or very complacent. It is a very worthwhile exercise to start looking objectively at our data management activities in this light.
Conduct a risk assessment – where your organisation is planning a change to your processing activities in the future, and particularly where that proposed change will introduce an element of risk to your data, you will be required to conduct a Privacy Impact Assessment – this follows the approach of a fairly standard risk assessment so that you can consider aspects of the project from the perspective of individual rights, quantify the risks and make the appropriate changes and modifications to ensure that the risk profile is reduced or eliminated altogether.
Get Assistance – for many organisations who already have a robust data management and Data Protection structure in place, the preparations for the GDPR will be relatively straightforward and manageable. For those organisations who are still struggling to comply with the 1988 Data Protection Act and the 2003 Amendment Act (or the 1998 DP Act in the UK), this road will be a little more challenging. There are plenty of organisations out there (Sytorus included) who are qualified and competent to work with you towards meeting your obligations and being GDPR ready by this day next year.
