But companies must be wary of the barrage of ‘incorrect information’ on GDPR, warns the ICO’s Alison Johnston
By Alison Johnston
If you are an event organiser with responsibility for people’s personal information you will have no doubt recently considered some big changes within your business, and the good news is that we, the ICO, are here to help as you get to grips with new data protection legislation.
The new legislation, which came into force on 25 May 2018, isn’t just the General Data Protection Regulation
(GDPR), it also includes the UK government’s Data Protection Bill.
Their aim is to bring a more 21st century approach to the processing of personal data. But don’t forget about the Privacy and Electronic Regulations (PECR), it will continue to be in force alongside the GDPR and Data Protection Bill.
The new reforms place more obligations on all organisations to be accountable for their use of personal data, so you’ll need to think carefully about the way you deal with customers’ and staff records. Now is the time to review your current policies and procedures and ensure they are compliant with the new legislation.
Consumers will have more rights such as being better informed about what businesses are doing with their data and having greater access and control over their data.
If you’re complying with the existing data protection law, you’ll be well on the way to complying with the new laws but now is the time for all organisations to be making changes. I’ve highlighted a few key points event companies will need to be aware of if they haven’t already.
The new laws strengthen the controls around consent. It will need to be freely given, specific, informed and unambiguous, and organisations will need to be able to evidence they have it for as long as they are relying on the consent for processing data. A pre-ticked box will not be valid consent, nor will silence or asking individuals to opt out. You will need to be confident your current consent requests already meet the new standard and that they are properly documented. Our consent checklist sets out the steps you should take to ensure compliance with the new standards. This checklist can also help you review existing consents to see if they meet the higher standards. If they don’t you will need to seek fresh consent.
There is a misconception that you are required to automatically ‘repaper’ or refresh all existing consents gathered under the current Data Protection Act (DPA) in preparation for the new laws. This is not the case however it is important to check your processes and records in detail to be sure existing consents comply with the new standard. If they don’t then you will need to refresh them.
You will also need to ensure compliant mechanisms for individuals to withdraw their consent easily are in place. There are many misconceptions about consent and the new legislation which Information Commissioner Elizabeth Dunham addressed in her myth-busting blog on consent last year.
If you are using electronic communications it is likely you will need consent under ePrivacy laws, currently PECR, for many marketing calls, texts and emails. For more about PECR our Guide to PECR is the place to start.
One of the main requirements of the new law is transparency – people have the right to be informed about the collection and use of their personal data. This exists in the current DPA however the new legislation requires organisations to provide individuals with more specific information, including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. A full list of the information organisations need to provide to individuals can also be found on our website. We call this ‘privacy information’ and it must be provided to people at the time you collect their personal data from them.
Maintaining records and training
No matter what size your organisation is you will need to have clear data protection policies and procedures in place. You should review current policies and procedures and update them where necessary to ensure compliance with the new laws.
All staff will need to be trained on these procedures and the new legislation. This is particularly important with the volume of incorrect information regarding the new laws currently in the media. It is your organisation’s responsibility to ensure that staff have the correct information to comply with the new laws. The new laws also require organisations to maintain records of data processing activities which can differ depending on the size of the organisation.
Data security breaches
It will be mandatory to report certain data security breaches to the ICO within 72 hours of becoming aware of it and in some cases, where the breach is considered high risk, to the individuals affected.
Organisations processing data on behalf of others will have more responsibilities
Data controllers, organisations responsible for saying how and why personal data is processed, will have to ensure any contracts with data processors, organisations that process data on their behalf, comply with the law. Data processors will have more obligations under GDPR and will need to maintain records of personal data and processing activities. Processors will also have significantly more legal liability if a data breach occurs.
There is a wealth of material on the ICO’s website dedicated to helping organisations of all sizes. We have resources for micro businesses plus an overview of the new legislation for larger organisations and an updated data protection toolkit for SMEs giving you the ability to compare what you are currently doing around data protection and what you should be doing under the new regulations. You can also keep up to date with new ICO guidance by signing up to our monthly e-newsletter.
Alison Johnston is Lead Policy Officer at the Information Commissioner’s Office (ICO) in Edinburgh