General Data Protection Regulation (GDPR)
From 25 May the General Data Protection Regulation (GDPR) comes into force and replaces the Data Protection Act, which has governed data protection for the last 20 years.
But will we be ready?
GDPR will affect everyone in the council. It could be that you process the personal data of residents, clients or customers – everyone from school pupils and council house tenants, to social care clients, leisure centre or library users. It will also affect you as an employee as we – Moray Council – process your personal information.
It’s designed to provide greater transparency, enhanced rights for citizens and increased accountability. Here are some of the changes which we need to prepare for:
We have to demonstrate compliance
‘Getting it right’ isn’t enough anymore, we have to demonstrate how we’re complying. Work is under way to compile a register so we know what personal data is held, how it’s processed, who processes it and the ‘lawful basis’ for processing it. We’ll also be updating our privacy notices and consent forms.
What’s a ‘lawful basis’?
Whenever we process someone’s information we must have a lawful basis for doing so. There is a list of these and we’ll be recording which apply to each of our processes.
New process?
Whenever we need to update, expand or start a new process, we have to consider its impact on data protection. These assessments make us think about minimal data protection impact and risk. This could be designing the service or project in a way which reduces or avoids processing, making sure that only minimal data required is used and that data is protected.
Contract terms and procurement
It’ll be up to us to make sure that we check the data protection credentials of prospective suppliers to make sure they’re protected wherever it is handled.
Recording consent
We’ll have to update consent forms so they’re clearer about the way the data we’ve collected will be used, stored and shared. We’ll need to record consent, including details like who signed the consent form, when and what we told them about the processing. We must also make it easy for people to withdraw their consent if they wish to.
New and enhanced rights
Under the GDPR people will have the right to be ‘forgotten’ and an enhanced right to object to processing. Not all rights are applicable in all circumstances; for example a data subject can’t ask that their prison sentence is forgotten. Our register of processing and records of consent will help us make quick decisions when people make applications under these new rights.
New breach notification rules
Data protection exists to protect us all. The consequences of a breach can be severe and can include significant distress if our private information is made public, or financial loss if our card details are stolen. Any employee must report serious breaches to a supervisor or line manager as soon as they become aware of one.
The sooner breaches are reported, the higher the chances of successfully averting or containing it. The Information Commissioner CO will be able to impose fines of up to €20m for breaches, so it’s really important that we are all vigilant and do our best to keep data safe.