It’s been a few months since I last blogged on the subject of the GDPR so it seemed about time to review the situation as of now (November 2017).
There are now about six months left before the GDPR becomes law on 25 May 2018 and many organizations are frantically trying to work out what it means for them. CertiKit launched its GDPR Toolkit in June and quickly followed up with version 2 in October and the degree of interest has been staggering. But beyond the core text of the regulation there is much work going on at government level to clarify what the GDPR means.
Those of you that are heavily into data protection (and let’s face it – who isn’t at the moment?) will know that there is a body that was set up under the current Data Protection Directive of 1995 to discuss and cogitate on issues of data protection. This goes by the catchy name of The Article 29 Working Party and consists of the heads of the various supervisory authorities from around the European Union. These representatives meet on a regular basis to try to shed a bit more light on some of the trickier aspects of the upcoming GDPR and to help everyone work out what it all means.
The Article 29 Working Party has produced a number of guidance documents on the subjects of:
These are available here – http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083
So if you are struggling to understand how some of the above issues might affect you, these guidance documents may be worth a read.
The UK Information Commissioner’s Office has also been busy preparing for the GDPR. On 1 November 2017 it launched a new telephone helpline for small businesses in the UK. To access this, the ICO website instructs you to “dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.”
The ICO will also be simplifying its 12 Steps to Take Now guidance and will be publishing a Guide to the GDPR by the end of the year (which some would say is maybe a little later than they would have preferred) which will be based on their current Overview of the GDPR guidance.
They will also be giving a better steer on a number of GDPR-related subjects, including
But all this doesn’t come free. Whereas the current Data Protection Act requires many organizations to pay a fee to the ICO to fund its operation, the GDPR effectively does away with this requirement. “Hurray!” you may shout but don’t be so hasty. When have you ever known Government fees to disappear? Instead, the Digital Economy Act steps in to re-instate such a fee for data controllers. The new amounts payable to the ICO are changing with a new schedule of charges that take account of organization size and of the amount of personal data being processed. Proposals suggest that the charges will range from “up to £55” for small businesses to “up to £1000” for larger business that process more data.
All of this is complicated enough, but of course the other factor that is thrown into the mix is Brexit. Although the UK is likely to still be a member of the European Union when the GDPR becomes law, the plan is to leave the bosom of the EU sometime afterwards. The GDPR will of course still apply where the personal data of EU citizens is concerned, but to plug the gap the UK government is introducing a new Data Protection Bill. The general view seems to be that this will be very GDPR-like but will also define some areas where the UK may diverge slightly or set out specific derogations or exclusions.
If you’re working for an organization that is trying to stay on the good side of the law by preparing for the GDPR, then what should you be doing now?
In my humble opinion, your first step should be to decamp to a local coffee shop with a copy of the actual GDPR document and have a read. No amount of sage advice and bluster from industry experts will replace the simple act of having read the source document for yourself. Ok, it’s not Booker Prize-winning literature but it is surprisingly readable in most places and the simple fact is that about two thirds of the Articles won’t apply to you anyway as they are aimed at various governmental structures such as the supervisory authorities. Go on – you won’t regret it.
After that, remember that the key to all of this is to follow the data. What personal data do you collect, what is it used for and where does it go? Many of the other issues to do with the GDPR will fall into place once you have this basic understanding.
Use the guidance on your supervisory authority’s website and check out the Article 29 WP’s site where necessary. Webinars, seminars, courses, qualifications, books and of course document toolkits will all come in useful too.
You still have six months – use them wisely my friend.