GDPR is due to come into effect in the UK on the 25th May 2018, and it’s important that all companies, both in the private and the public sector, are aware of the changes it will bring. It will represent a major update to the existing Data Protection regulation and aims to give control back to consumers over their personal data. It will also grant far greater powers to the Information Commissioner’s Office, whose maximum limit on fines will be dramatically increased from £500,000 to £17 million, or 4% of global revenue. All UK and EU firms have a fiduciary duty to understand and implement these changes when it comes to monitoring or using personal data.
How does it affect the public sector?
The very nature of public sector companies means you are likely to hold a large amount of sensitive personal data. This includes such things as financial data, contact information, addresses and medical records. Many public sector organisations employ the services of third-party ICT support and data storage. Regardless, it falls to your organisation to ensure compliance and keep data secure.
What changes need to be made?
Before the 25th May, your company will need to have fulfilled all requirements of GDPR. The major changes associated with this are listed here.
• Suitably train all staff on how they will need to now collect and store customer data.
• Conduct Data Protection Impact Assessments as a means to test the security of your systems and processes. If you are implementing new technologies or are changing the methods in which you categorise data, then these assessments are vital.
• If a breach were to occur, be sure to notify the ICO within 72 hours. If it is considered a major breach and individuals are placed at risk, all necessary individuals will also need to be personally contacted.
• As well as staff on the ground, all executive managers and board level staff need to be aware that they are accountable for ensuring their company’s compliance. They will also need to keep documented records of steps taken to reach this new level of compliance.
• One major change is the way in which customers must “opt-in” to have any data collected, so make this clear on any forms and remove default opt-in boxes.
• However, if a task is being performed in the public interest and it requires the processing of data, then under authorised circumstances this is OK without prior consent.
• Once data has been used for the intended purpose, it must then be destroyed.