What is GDPR?
The General Data Protection Regulation (GDPR) is an attempt by the EU to bring data protection legislation in line with new, previously unforeseen ways that data are now used. GDPR will apply to all EU member states from 25th May 2018.
Currently, the UK is governed the Data Protection Act 1998, but this will be superseded by the new legislation.
GDPR gives people more say over what companies can do with their data and introduces tougher fines for breaches and non-compliance. It also makes data protection rules consistent throughout the EU.
Why it’s being introduced
There are two principle reasons for introducing the GDPR. Firstly, the EU wants to give people more control over how their personal data are used.
Many cloud-based companies swap access to people's personal data for use of their services. The current legislation was enacted before this technology created new ways of leveraging data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the digital economy.
Secondly, the EU wants to give businesses a simpler, clearer legal framework in which to operate, making data protection law identical throughout the single market.
The Benefits of GDPR
GDPR will better meet the demands of the digital environment. The existing Data Protection Act predates platforms such as Google, Facebook, Snapchat, Amazon and Microsoft Cloud and does not cover some commonly used data formats. As such, the legislation is out of date with current technology.
It gives individuals more rights to their information. Over the last few years, information has become a commodity that organisations have bought and sold. GDPR gives all of us more rights to that data, and greater powers of legal recourse regarding the security of its storage.
Organisations which are irresponsible with security and privacy of information will be more visible through ICO reporting. Organisations which can demonstrate a good track record in security and privacy of information can highlight their good service, leading to easier supplier selection and, ultimately, better customer satisfaction.
IT organisations can benefit from GDPR requirements to remove data. No longer will data be kept, just in case it’s required, enabling IT departments to delete data more regularly, and reduce the burden on archival storage.
All organisations can benefit from a clearer, more up to date policy that enables organisation to manage data as an asset.
How it might affect your organisation
All organisations must demonstrate continuous compliance to the requirements of GDPR, which are summarised below:
• All data subjects (eg learners, staff, contractors, etc) will have the right to be forgotten, therefore the individual can request all their information is removed from your database. There are exceptions to this in certain circumstances, see ICO for guidance
• They can also make a Subject Access Request (SAR), in which the learner can request to see all information recorded on the system
• Learners must give explicit consent for all data processing. The learner must be told what data is recorded and how long for and for what purposes
• Previously only the Data Controller would be fined for data breeches, now the responsibility could lie with either or both parties depending on the breach
• A Data Protection Officer is required if you’re a public authority or if a core business activity is processing data. The Data Protection Officer can be a data protection expert or a 3rd party contractor, but they must be independent and report directly to the Senior Management team
• A subject has the right to ask for their data to be moved to another data processor, so data must be able to convert to a commonly used format, such as .csv file.
How you can prepare
This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Who would deal with such a request? Would your systems help you to locate and delete the data? Who will make the decisions about deletion?
Start your data audit now. This will be the best starting point to understand how you process data and what needs to change before the deadline. If you don’t already have set workflows and processes in place, define them now.
Going forward, make sure people in your business understand GDPR and why you have these processes in place. Make data a part of your induction process, so new starters are on-board from the beginning.
Finally, don’t panic about GDPR. With proper thought, planning, buy-in from your business and support from your data management providers, there’s no reason why you won’t be ready for May 2018.
Talk to your MIS provider to find out how they’re preparing for GDPR or find out how CogniSoft is responding to GDPR here.