The GDPR* is coming into force very soon (25th May in fact). This will have, and already has had, a significant impact on the way we all have to handle personal data.
It's fair to say that most organisations have found preparing for the GDPR a little overwhelming.
Two key themes of the GDPR.
Whatever stage you're at with preparing for the new rules, it's important to keep in mind its main aim. To help keep things simple, there are two key themes which underpin many of the practical changes which the GDPR will introduce: transparency and accountability.
Keeping these in focus can help resolve the finer (sometimes contentious) details of actually applying the law in practice. Taking a step back and thinking about the purpose of the GDPR helps to simplify compliance and keep the new requirements in perspective.
Transparency | What are you doing with my data?
Transparency helps form the backbone of the GDPR. In simple terms - it's telling people what you're doing with their personal data.
The best way to look at this is as if you are standing in the shoes of the individual whose data you are using. You need to make it clear to them 'at a glance',what you're doing with their data, without expending much time and effort.
This will typically be done through your privacy notices. Confusingly, privacy notices are also called 'privacy policies', 'data protection statements' or something similar. But regardless of what it's called, it's the document which tells people how you use their data.
You have to tell people what you're doing with their data in concise, plain language. The days of scrolling through of reams of pages, filled with jargon are gone. You need to explain the key points about your use of data and fast.
Why do you need personal data?
What are you doing with it?
Who are you sharing it with?
Is it leaving the EU?
What can individuals do who don’t like you're use of their data?
The clearer the explanation of what you're doing with personal data, the better position you'll be in to show you're complying with the GDPR.
Ok, so you've made it easy to understand but if your privacy notices are buried deep in your website, it's not much use.
So to be transparent you also need to consider how you provide the notice to individuals – if it's on your website, is there an obvious link to it on your homepage? If it's being sent in hard-copy, is it clearly marked as a standalone document (rather than stapled to the back of a lengthy contract)?
Accountability | Showing how it's done.
The second main theme is accountability. Under the GDPR, it isn’t enough just to protect personal data; you also need to demonstrate how you're doing this.
Organisations need to show that data protection is always on their minds and that they're documenting this as they go.
(1) keeping records of data processing activities (although there is an exemption for some smaller organisations)
(2) completing a data protection impact assessment where new uses of data pose a high risk for individuals
(3) making sure there are written contracts in place between data controllers and data processors
(4) keeping records of all data breaches
Open. Transparent. Documented.
It's very easy to get overwhelmed by the GDPR, the Data Protection Act 2018 and the mountain of guidance which is constantly being published and updated. In practice, interpreting the law and applying the guidance can be incredibly complicated.
The key thing to not lose sight of is that, however you decide to comply with the GDPR, as long as you are being open and transparent about your approach, and your rationale for adopting your compliance strategy is clearly documented (and is not widely off the mark), you will be in a good position come 25th May (assuming you're not taking an approach which is widely unjustifiable!).
In it for the long haul.
It's also important to keep in mind that the GDPR is about universally improving standards of data protection for the foreseeable future; it's not just about being compliant for this one Friday in May.
*The GDPR | Legally speaking.
The GDPR (the General Data Protection Regulation) will have direct effect in all EU countries on 25th May (including the UK). The GDPR replaces our existing data protection legislation and creates a wide range of new standards and obligations with which organisations must comply. We also have the Data Protection Act 2018 (DPA18) coming into force which will sit alongside the GDPR. The GDPR is written in fairly broad terms so one of the purposes of the DPA18 is to add some extra detail to the new law.