All organisations working in higher education will be aware of the Data Protection Act and, hopefully, their responsibilities under it. But, how many are aware that in a year’s time a new regulation – the EU General Data Protection Regulation (GDPR) – will come into force that will not only strengthen data protection, but also impose significant penalties for non-compliance?
What is the GDPR?
Introduced to keep pace with today’s digital economy, the new legislation makes sweeping changes to the current requirements which means existing data protection practices are unlikely to be adequate.
Given its complexity, time is short for ensuring compliance, so you need to start preparing for it now
Irrespective of Brexit, it will have an immediate impact on 25th May 2018 with monumental fines for non-compliance: up to €20 million or 4% of annual global turnover, whichever is greater. Given its complexity, time is short for ensuring compliance, so you need to start preparing for it now.
Organisations will have to be much more specific about why they want the data and how they intend to use it. This will have to be carefully documented. Even then, individuals will have a host of new rights allowing them to object to certain data processing, to restrict how their data is used and even to have their data erased on a number of different grounds. There will also be onerous responsibilities on organisations to check and correct data that is alleged to be incorrect.
Individuals will be able to make data subject access requests without restriction and without payment of a fee, to which organisations must respond promptly within a month, as opposed to 40 days currently. Individuals can also request their data in commonly used electronic formats.
What if I don’t do anything?
You might think that your current data protection procedures are good enough, but what if you are wrong? The GDPR has severe fines for non-compliance, and if you are fined, your organisation faces huge reputational damage. Do you really want to take that risk?
What do I have to do to meet the terms of the GDPR?
Essentially, the GDPR is just really good practice under the current regime given statutory recognition in legislation. If you are doing things really well now, you will only have a small step up to comply with the GDPR. But if you don’t, then you’re going to have a lot of work playing catch-up. You should see the GDPR as an opportunity and do it right.
It’s essential to get early management buy-in. Review what data you collect, how it is collected and why it is collected. Go through the organisation methodically, department by department. Then you need to know where your data is held. Is it held on a server? Where is that server? Is it held on removable storage devices? Do you have encryption software to protect its integrity? Do you send or receive data from a third party and, if so, do you have appropriate contracts in place?
The GDPR is not just about compliance; you have to demonstrate you are complying and show how. That’s why getting management buy-in is essential. If you are launching a new product or service compliance should be something you consider at the outset and not a bolt-on at the end.
What else should I consider?
Good cyber-security and insurance are essential.
You need to chart what the threats are to the data you hold, where those threats are coming from and how you are going to respond. As well as traditional external threats, breaches can come from within, from employees and contractors. New technology will emerge that will bring with it new threats as well as new opportunities.
If you haven’t already, carry out a full audit of your organisation’s data use and identify any potential weaknesses as soon as possible. There are plenty of tools and services out there to help you do this.
Remember, it’s not just about the threat of hacking, basic compliance and using data in the correct way are equally crucial.