Steve Talbot, Managing Director of IT Efficient, warns FMs to prepare for the upcoming changes in new Euro-wide regulations
Did you know the current 1998 Data Protection Act (DPA) is due to be replaced next May? You should. The DPA is being replaced by the new European-wide General Data Protection Regulations (GDPR) and these will change how organisations can collect, use and transfer personal data with far more comprehensive and far-reaching criteria that businesses must adhere to.
Whereas the DPA only applies here in the UK, the GDPR applies to the whole of the EU and, crucially, to any global company which holds data on EU citizens. Whether our Brexit is hard, soft or middling, these new Regulations will still apply in the UK and compliance will be monitored by the Information Commissioner’s Office (ICO) in the UK with each European country having its own supervisory authority doing similarly.
You might think all this is an issue for your HR or IT Department, but, since this is an issue about the handling and holding of data, it will also affect whoever is responsible for the storage, destruction or recycling of equipment that contains data. They need to understand the new regulations and liaise with the various internal departments to ensure everyone is complying as there will be hefty financial penalties for organisations that don’t. These penalties can be up to four per cent of annual revenue or up to £20 million, whichever is greater.
Under the DPA, businesses have no formal requirement for a dedicated Data Protection Officer (DPO). Under the GDPR, a DPO is mandatory for any company with more than 250 employees. Also, currently, not all organisations are required to notify the ICO when a data breach happens. However, the new regulations demand all data breaches must be reported within 72 hours of occurrence. Failure to do this will again incur severe financial penalties. Organisations are not expected to have fixed the situation within that time, but must demonstrate they have taken steps to do so and also alert those individuals whose data has been lost, altered, accessed or disclosed without alteration.
With regard to the data itself, the way it is obtained and held as well as why it is being collected will now be under much closer scrutiny and more tightly regulated. To start with, individuals must actively give consent for their data to be collected, must understand exactly what information is being collected and specifically what it will be used for. This need for consent underpins GDPR. Organisations must ensure they have a legal basis to process the data and have demonstrated a legitimate need to collect it, not just make the claim. All this needs to be explained clearly and concisely and an organisation cannot collect more data than is needed for a specific purpose. This means no more long forms with endless data capture fields and the dubious practice of pre-ticked boxes.
Any personal data that can be used to identify an individual will be covered by the regulations: name, address, marital status, job title. However, further data will now be protected including genetic, cultural, economic and social identifiers such as IP addresses, mental health information, religious or political beliefs.
Certain activities, such as automated processing or processing of sensitive data on a large scale, or anywhere there is a high risk to the freedoms of the individual being compromised, will now require a prior Privacy Impact Assessment (PIA). This will be mandatory. The ICO has created a corresponding guide for this.
The rights of individuals will now be much stronger. Going forward, people will have a right to have inaccuracies corrected, information erased and direct marketing prevented without consent. They will also have a right to know what data is held about them by different organisations. This means an individual’s data must be stored in such a way that it can be identified quickly and easily. If an individual wants their data transferred to a different organisation, removed from a database (including copies) or for collection of their data to be halted, they now have a right to demand that. These rules are called the ‘right to data portability’ and the ‘right to be forgotten’.
All these new rules and regulations mean that businesses must check who has copies of their information, including sub-contractors or vendors, and ensure they have proper systems in place to delete information, permanently. All staff need to be aware of the GDPR and its implications to them and the data they each hold. It can be mind boggling how much data is inadvertently held by individuals within a company. Secure data destruction is critical as well as proper hardware disposal for computer equipment as and when necessary. The data needs to be properly cleared before recycling, refurbishment and resale of electronic items if they aren’t being totally destroyed. This can range from everything from a single phone to an entire company server.
IT Efficient process some 300,000 items of IT equipment a year, both on and off site, and are happy to discuss and advise FM’s and their colleagues of the implications of these new Regulations with regards to both legacy and newly acquired equipment to ensure they are complying.