The General Data Protection Regulation (GDPR) comes into effect in a few months, and moving companies that don’t want to risk incurring penalties for non-compliance, must begin planning for its arrival sooner rather than later, according to Paula Tighe, Information Governance Director at leading law firm Wright Hassall.
Both national and international moving companies will need to begin pushing through the necessary changes early if they are to meet the new requirements – compliance cannot be achieved through a simple box ticking exercise, as it can take months of planning to introduce new effective procedures. Despite the UK leaving the EU, you will still have to comply and wherever your data comes from, if it is used, recorded, or processed in the EU, you must comply with GDPR.
Raise awareness and register it
One of the most important first steps for businesses is to start recording the entire compliance process, making a note of any significant changes to company policy. Also known as the ‘data register’, this record will help you adhere to the new accountability principles of GDPR, as it shows what data your company currently holds, how it was obtained and why it is being processed.
Rather than preventing you from doing things, GDPR compliance aims to improve standards by encouraging you to review existing processes and procedures, making them more effective where possible. Start by reviewing your existing digital and hard copy format privacy notices and policies - are they concise, written in clear language, easy to understand and easily found? Finally, assess how you communicate these notices and policies with data subjects, ensuring you explain your reason for processing the data, how long it’s retained and how individuals can complain to the Information Commissioner’s Office.
Rights of the individual
Once GDPR has been introduced, individuals will enjoy much greater control over their personal data, including the right to request information is edited or even deleted altogether.
Therefore, it is crucial that companies introduce procedures that can handle such requests efficiently – those businesses without the appropriate processes in place risk incurring penalties for non-compliance.
Perhaps one of the key drivers for the changes is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.
Having transparent procedures will mitigate many potential future problems with the regulator, regardless of complaints or investigations. If your organisation correctly handles personal data under the current Data Protection Act, the change to GDPR should be no problem.
You must comply within a month when an individual makes a subject access request to see what information you have about them. If you think the request has no merit, you can refuse, but you must tell them why and how they can complain to the regulator.
Never assume consent
Handling consent for the capture and use of personal data for more than just contact is a tricky area. Individuals must give clear consent for their data to be used and be able to revoke consent at any time. If you want to use their data differently, you must obtain a new consent. How you attempt to obtain or confirm consent will help mitigate any future problems at the hands of the regulator.
Keep reviewing and recording
Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA). These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen and should form part of your ongoing processes. Ensure you have a robust process for making the assessments and then record it, along with the outcome.
Make someone responsible and keep it up
If your company routinely handles personal data, or deals with large quantities of sensitive information, then it may be worth appointing a dedicated Data Protection Officer to oversee procedures, ensuring your business is GDPR compliant at all times. You must also consider written records, which are also covered by the regulations - ensure all your staff are trained on the correct handling of personal data. Most importantly, you must remember to record the compliance process using your data register, as this can help protect your company during the initial stages of GDPR.
It would be unrealistic to think every business will be fully compliant by the time it arrives, but those companies that can prove they are in the process of meeting requirements will fare a lot better than those who can’t.
Paula Tighe
Paula is a qualified data protection professional and leads the trusted advisor information governance service. Experienced in working with small, medium and large private and public bodies, Paula advises on a range of data protection issues, including training design and delivery, marketing, housing, project management and ICT security. Wright Hassall, a full-service law firm, advises clients across a variety of sectors including advanced manufacturing and engineering; food and agriculture; housing, development and construction; and gaming and digital media.
www.wrighthassall.co.uk
Click here to see the next Editor's Pick