If all goes to plan, the rules are expected to be agreed in early 2016 and will come into force in 2018. The rules are likely to be accompanied by a significant number of announcements from politicians and regulators explaining how new enforcement rules (and potentially very significant fines) will strongly encourage all companies to better respect the privacy of their customers.
But what will this mean for companies in practice? And what steps can they take now to ensure that their internal systems and processes will be fit for purpose?
While the final text of the Regulation is not yet available, and probably won’t be until at least the end of the year, Drafts of the Regulation have been in circulation since 2012 and the direction of travel is clear.
In terms of corporate governance, there will be a renewed focus on ensuring that companies designate an individual who can provide sufficient assurance to senior management that appropriate controls are in place and are working efficiently. Data Protection Officers will be expected to act in an independent manner. Companies will be required to retain (and in many cases, generate) documentation to demonstrate compliance with the new rules.
Companies will have to report data breaches to regulators within specific time limits, where feasible. They will also be required to consult with regulators before embarking on initiatives where the data processing may present a high risk to the privacy of individuals. Risk assessments – currently known as Privacy Impact Assessments – will have to be carried out more frequently, and the results of these assessments may have to be made available, on request, to regulators. Privacy Impact Assessments carried out by public authorities will increasingly be published on websites (examples of our work can be found on the CER and DCENR websites).
Customers will have enhanced rights to obtain their own personal information, probably at no cost as the £10 Subject Access Fee may be abolished. They will expect more information about how their personal information is used (and for how long it is retained), and will be able to ask that it be supplied to them in a commonly used format. Customers will be presented with more prominent notices explaining how their data is used for marketing and for various profiling purposes – and how they can object to some of these purposes. This may also lead to customers invoking rights to request the deletion of their personal data. Companies may explain that regulatory requirements to retain data usurp the right to request that it be deleted, however, to avoid reputational damage, companies will need to ensure that this is managed with the customer perspective in mind.
What can be done to prepare for the new requirements now?
The Information Commissioner’s Office (ICO) has stressed that companies can best prepare for the new rules by ensuring that they can readily demonstrate how well they comply with the current rules. And it is very clear what standards the ICO expects well-managed companies to have.
- In terms of governance, for example, to what extent are data protection responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor Data Protection Act (DPA) compliance in place and in operation throughout the organisation?
- In terms of training, to what extent does the organisation provide and monitor staff DPA training? Are staff appropriately aware of DPA requirements relating to their roles and responsibilities?
- In terms of records management, what processes are in place for managing both manual and electronic records containing personal data? Are appropriate controls in place to monitor the creation, maintenance, storage, movement, retention and destruction of personal data records? This includes microfiche and paper, as well as electronic records.
- In terms of security, are technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form?
- Does the organisation have adequate processes in place to respond to any requests for personal data? This will include requests by individuals for copies of their data (subject access requests) as well as those made by third parties.
- And finally, data sharing – has the organisation designed and operated controls to ensure that the sharing of personal data complies with the regulatory (and statutory) rules?
Companies that can confidently demonstrate that their internal controls currently provide senior management with sufficient assurance that they are good at data protection governance, training, records management, security, requests and data sharing won’t need to worry too much about the likely implications of the new rules.
An increasing number of companies are already assessing the extent to which they comply with existing data protection rules, and are developing new processes that will meet the requirements that are expected to be imposed by the General Data Protection Regulation.
What preparations is your company currently making?
If you would like to find our more about our work with Privacy Impact Assessments or how we can help you please do get in touch by email or contact us on +44 (0)20 7090 1091.