This blog has covered the General Data Protection Regulation (GDPR) in fairly exhaustive detail. For those of you who aren’t quite up to speed: the GDPR is a piece of EU legislation that passed in April 2016. It’s been designed to simplify the 1995 Data Protection Directive and make EU law fit for the digital age.
On the 25th of May, the GDPR finally comes into force. Being an EU regulation rather than a directive, it’s directly binding without the UK government passing any legislation. With that said, the GDPR grants member states some leeway to tweak the rules to suit their circumstances. For example, the UK government’s Data Protection Bill, first published last September, grants exemptions for certain sorts of researcher and journalist.
Let’s take a closer look at the thorny topic of GDPR accountability, and what businesses can do to stay within the new rules.
The accountability principle
Under the GDPR, organisations must demonstrate their compliance with the law. While this principle was implied by the Data Protection Act 1998, the new rules spell it out: you are responsible. Get it wrong, and there’s no-one to pass the buck to!
The relevant provision can be found in Article 5:
“The controller shall be responsible for, and be able to demonstrate compliance with, [the principles relating to the processing of personal data].”
For many businesses, from a GDPR accountability perspective, this means implementing new organisational practices, and periodically reviewing and changing those practices. You’ll need to be proactive about it, and document the steps you’re taking. These steps might include training, monitoring, audits, and other measures.
What security measures should we take?
Since some sorts of data are more sensitive than others, they warrant more severe security. The GDPR is written to reflect this, referring to ‘appropriate technical and organisational measures’. Now, what’s ‘appropriate’ and what isn’t might seem subjective, but Article 32 of the GDPR helps clear things up, obliging organisations to take…
“…into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
It’s worth noting that information security doesn’t just mean firewalls and encrypted data packets. If someone walks into your office and physically removes a stack of registration forms, you’ll be just as culpable as if they’d hacked in using sophisticated malware.
What about contracts?
Contracts are a formal means of demonstrating that two parties exchanging sensitive data understand their obligations regarding GDPR accountability. The text of the GDPR explicitly outlines what should go into a contract. For example, it should state that the processor must only act on the written instructions of the controller, and that the individuals who process the data are subject to a duty of confidence.
What about Data Protection Officers?
However stringent your data security procedures, there will always be a remote chance of a breach occurring. By preparing for the eventuality, you’ll be able to minimise the damage caused.
This means you’ll need to be able to spot a personal data breach. To do this, you’ll need to put a dedicated person or team in charge of managing them. These people are called Data Protection Officers (we’ve talked about them in greater detail here). Businesses might consider bringing someone in from the outside to do this job – that way they’ll be able to work without being encumbered by internal politics.
What happens when a breach occurs?
Ideally, a pre-prepared plan will come into action, and the person who discovers the breach will know when to escalate, and how. That way there’s little chance of the incident getting buried in the system.
The GDPR obliges organisations to report certain sorts of personal data breach to the relevant national authority within 72 hours of learning of them. In the UK, we report to the Information Commissioner’s Office. In some cases, breaches should also be reported to the individuals affected. Whether you need to report the violation or not, you’ll need to keep a written record of it; article 30 requires that organisations maintain an appropriate record of data-processing activities.
When we talk about accountability in this context, it might seem natural to imagine a series of businesses, charities and government agencies answering to a central regulator. But under the GDPR, this isn’t quite how it works. You’re accountable to the individuals whose data you’re collecting. If they suspect you to have neglected your duties, they’ll be able to raise a complaint directly.
In summary, if you’re collecting data, the GDPR obliges you to:
- Implement practices and procedures that’ll protect the data.
- Periodically review and update those practices and procedures.
- Know what to do in the event of a breach.
- Document every data-protection decision and the reasoning behind it.
Naturally, when your computer hardware reaches the end of its life, you’ll need to dispose of it in a manner that’s both safe and secure. All your data-protection efforts will be for nothing, after all, if you’re going to literally throw your data in the bin for anyone to fish out!
That’s where we’re able to help. We’ll keep your data secure, even as we’re recycling the hardware that carried it. If you partner with us for IT asset disposal, you can get full peace of mind with GDPR compliant contracts as standard. If you’d like to learn more, then be sure to get in touch!