13 November 2017
Data Protection reform and GDPR
GDPR is the new European Union data protection regulation. It will come into force on 25th May 2018 and will - we expect - be accompanied by a new UK Data Protection Act, ready for Brexit in 2019. Veritau will be helping its clients to prepare, and will of course be preparing itself. What are the main changes, and what must we all do?
Firstly, be compliant with the current Data Protection Act. Its features will all continue – the rights of data subjects, and the duties on data controllers – so fulfilling all of those will mean only the new features need to be added. A complete Information Asset Register is an essential tool for locating the contracts and privacy notices that should be reviewed.
There are some significant detailed changes but overall, organisations will have to be able to demonstrate compliance. So the Information Asset Register will now also record the legal basis of all processing. If that relies on consent, then each consent must be recorded. Indeed consent must be positively indicated – no more pre-ticked boxes.
Consent has always been difficult to rely on, and will become more so for large public sector organisations. The need to carry out “Public Task” – providing public services – is likely to become a more reliable legal basis.
The Information Asset Register will also help identify contracts for data processing, which must be reviewed because the processor will become liable for its data breaches directly to data subjects (and the Information Commissioner). The need for better evidence will also mean we must document all our data sharing with other data controllers.
Other headline changes:
- time for a Subject Access Request is reduced to 30 days (although perhaps extendable)
- maximum fine the ICO can impose rises to £18m
- children of 13 and over will not need parental consent to use social media
- new or different services must be subject to a Data Protection Impact Assessment
- significant data breaches must be reported to ICO and perhaps data subjects
Lastly all public authorities (and other large organisations) must employ a Data Protection Officer. This can be either a person or an organisation, must be suitably qualified, and be given sufficient resources and independence to carry out the role.