Copy updated: 13 April, 2018.
Things to consider before new data protection regulations come into effect this May
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, replacing the Data Protection Act 1998 (DPA). In many ways, it will simply reinforce the obligations you already have under the DPA, however the GDPR does have a wider scope and carries tougher penalties for those who fail to comply.
Whether the personal data you use and store relates to clients, students, staff or local support group (LSG) attendees, this article outlines a few key things to consider to be compliant.
What is personal data?
The GDPR defines personal data as any information relating to an identified or identifiable natural person. It defines this person as someone who ‘can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to […] that natural person.’ (Article 4)
What information do you hold?
Start by documenting what personal data you hold, how it’s stored, where it came from and who you share this with. This will help you identify any areas of risk – such as storing, using and sharing data securely – and also give you an idea of any processes that need improving.
Privacy notices
You should have a privacy policy in place, which clearly explains who you are and how you intend to use a person’s information. This should include how long you will hold their personal data for; how and when you will delete their personal data records; that they have a right to access any personal information you hold about them; and that they have the right to complain to the ICO if they think there is a problem with the way you are handling their data.
The policy does not have to be long and complicated, but make sure people are aware of the policy and how to access this.
Accessing information
People already have the right to access personal data you hold about them, but the GDPR will mean this information needs to be supplied within one month of their request. The ICO advises that in most cases you will not be able to charge for this service, unless the request is ‘manifestly unfounded or excessive’.
Consent
Review how you seek, record and manage consent to use and store personal data, and whether you need to make any changes.
According to the ICO, consent must be freely given, specific, informed and unambiguous. There must be a process of ‘opting in’ – consent cannot be inferred from silence or by having pre-ticked boxes.
Reviewing the personal data you hold in order to be GDPR compliant is a good opportunity to ensure this information is current and reflects the other person’s wishes. Ask those who have engaged with your services in the past year:
- If the information you hold about them is accurate and up to date.
- If they are happy to ‘opt in’ and be contacted by you for information relating to your services, for example appointment reminders, special offers, or newsletters. Make it clear that they can opt out of these communications at any time, quickly and easily.
- How they would like to be contacted by you going forward for each of the above (by email, phone, text message, email, post, other).
In the process of checking someone’s personal data, be very careful not to disclose this information to someone other than that specific individual.
Other points to consider
- Obtaining permission from a parent or legal guardian for consent to process the personal data of a child.
- Having a process in place to detect, report and investigate a personal data breach.
Still have questions?
This article is intended for guidance only. It is not all-encompassing, nor does it constitute legal advice.
Contact the ICO Helpline if you have any questions about data protection or the GDPR. T. 0303 123 1113.
Advice and a copy of the GDPR is also available from their website: ico.org.uk
Leave a reply