GDPR is coming!
Is your company ready?
The UK government has published its new Data Protection Bill. The bill, launched into the House of Lords yesterday and published in full today (PDF), aims to overhaul and update the UK’s data protection laws. It is going to prepare UK businesses for life post-Brexit. This will be achieved by aligning UK data protection directives with those of the EU’s new GDPR (General Data Protection Regulation), coming into effect in May 2018. A few months ago, we took a look at some of the key new directives of the GDPR and the measures organisations will need to take to ensure they remain compliant and avoid fines. Here we return to the topic, to see which measures have made it into the new Data Protection Bill:
New Right Of Access and Data Portability
In our post last month, we highlighted that, under the new GDPR, ‘data subjects can ask the Data Controller for a copy of any personal data being processed at any time’. The Data Controller must then supply them with a copy of the personal data. This must be free of charge, in an electronic format. The data must come back to them in ‘a structured and commonly used and machine-readable format’
The new Data Protection Bill confirms that ‘a data subject is entitled to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and where that is the case, access to the personal data and the information set out in a subsection.’ It also, as protected, states that ‘the controller must take reasonable steps to ensure that any information that is required by this Chapter to be provided to the data subject is provided in a concise, intelligible and easily accessible form, using clear and plain language.’
As predicted, accessibility is the name of the game. The bill of the overview, under the section ‘what are we going to do’, states ’empower people to take control of their data.’ Our Online document storage and cloud collaboration tools would make fulfilling this compliance simple and easy, as opposed to trawling through files.
Privacy by Design
The new Bill has a section titled ‘Data protection by design and default’. This chapter states that ‘each controller must implement appropriate technical and organisational measures which are designed: (a) to implement the data protection principles in an effective manner; (b) to integrate into the processing itself the safeguards necessary for that purpose.’ It also states ‘Where a controller is required by any provision of this Chapter to implement appropriate technical and organisational measures, the controller must (in deciding what measures are appropriate) take into account— (a) the latest developments in technology,’ – amongst other considerations.
Controllers and processors must be utilising the latest technologies to ensure operational efficiency and security. This is also supported by the opening statement of the Bill. It states that ‘In implementing the GDPR standards, the Bill will require organisations that handle personal data to evaluate the risks of processing such data and implement appropriate measures to mitigate those risks. For many organisations, such measures will likely need to include effective cyber security controls.’ Privacy measures must demonstrably be a part of Data Controllers organisational structures. Our Technology and Document Management services can help you build security into your operations, using tools such as password encrypting files and PIN-required printing.
Right to be Forgotten
As in the GDPR, ‘Right to erasure’ exists as a directive under the new bill. In the new Bill, the controller must erase personal data without undue delay if there is any infringement of the six data protection principles. Our cybersecurity team can work with your organisation so your cybersecurity standards are compliant. We can also provide a cost-effective strategy for managing your cybersecurity moving forward. We also provide a secure data disposal services, which securely disposes of digital and magnetic media and provides you with a certificate of destruction.
Increased Territorial Scope
The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union. If you’re situated abroad but handling an EU individual’s data, then you have to be GDPR compliant. Looking forward to post-Brexit, the new Bill states the same. The Data Protection Law applies to any controllers or processor ‘established’ in the UK. It also applies to any controller or processor if they’re established outside of the UK, but the data they’re processing is that of an individual who is in the UK at the time of processing.
Data Protection Officers
As in the GDPR, ‘The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.’ The GDPR states that the DPO ‘Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge’. As well as this, the new Data Protection Bill also states that the DPO must have access to all the necessary resources in order to be able to ensure compliance and liaise with the Information Commissioner. Raising awareness amongst staff of the policies of the Data Protection Bill is also important. Resources such as our Cloud Computing, Document Storage and Digital Communication services would allow your DPO to do their job easily and efficiently.
To speak one of our Cyber Security or Document Management experts, and find out how they can ensure you remain compliant, email firstname.lastname@example.org or call 0870 890 0020.