When do new GDPR regulations come into place?
The GDPR comes into force on 25 May 2018 without the need for national legislation. The UK government will table a new UK Data Protection Bill to reflect GDPR requirements and take us through Brexit in March 2019. The new regime will be here to stay - the UK regime needs to be as robust as possible if we are to retain the ability to share data with other EU member states (and internationally) after Brexit.
Why do we need the GDPR?
The current regime, which dates from the late 1990s, is simply not fit for purpose. The law needs to catch up with the tech explosion and the exponential increase in value of personal information, the way we use it and its importance for business. The ICO regularly releases and updates guidance notes to tackle the issues faced by organisations and individuals about data security and privacy, but this can only go so far. The problem is that the underlying regime doesn't cater for how to deal with large data sets now held by organisations, or with new categories of personal data (such as online identifiers) - and it focuses on data controllers rather than data processors.
If there is one indicator of how the EU views the value of data to organisations these days, it is the severity of the sanctions for breach of the GDPR.
How do we ensure compliance?
The first step is to form a team internally to develop and execute your readiness plan. Many organisations have formed a cross-departmental team (e.g. Legal, Compliance, IT, HR). Others will rely on one department to take the lead (e.g. Legal) with support from other areas of the business as required.
The next step is to create an inventory or record of the data which is currently processed by the organisation. CIOs are likely to be involved in the inventory process - for example by identifying and setting up an inventory tool, and helping to populate it based on what information is part of each application or process, and how information in each process or application is protected. The aim is to confirm what personal data is held (e.g. employee data, consumer data), on what legal basis (e.g. individual's consent, a business need, a legal requirement) and for how long. It should also cover whether the data is shared or transferred outside of the EU.
The inventory will be the central part of the record-keeping systems required by the GDPR. Whilst it is not required, many organisations might also elect to keep a record of the legal basis for the processing. This can make things easier when responding to an individual's subject access request for personal data.
Sign up for CIO Asia eNewsletters.