Ensuring businesses and organisations remain committed to complying with new data protection legislation remains a key focus for the ICO nearly a year on from the implementation of the GDPR. So what should you be thinking about for 2019?
- Organisations that have not yet done so already will need to think about updating their existing policies and procedures in order to reduce the risks to people’s personal data. These policies should explain what personal data you collect from individuals, how it is processed and on what legal basis you are relying on for the processing.
- In some cases, organisations will need to think about implementing new policies to reflect their new responsibilities under the GDPR, these might include a data retention policy which explains how long personal data is retained for and why, and a data subject access request policy may be useful for determining who deals with the request internally and what steps data subject should take if they are considering making a request.
- With Brexit looming, the ICO has encouraged those organisations that rely on international data transfers for the running of their business to engage with their EU counter parts. This will ensure that the correct measures are in place to allow the flow of data from the EU to the UK in the event of a no deal Brexit.
- Refresh your GDPR training – it is not a one off and will ensure that you adhere to the accountability principle that forms just one of the many different principles that underpin the GDPR. Consider giving advanced training to those who handle large volumes of personal data e.g. those that work in HR or that have taken on the role of data protection officer.
- Respond & report – ensure you understand that you have a responsibility to respond to subject access requests within 30 days of receiving the request and report any data breaches to the information commissioner within 72 hours of discovery of the breach. This will limit your risk of being issued with a monetary fine.
- Understand the key message(s) behind recent monetary fines issued to large scale companies. These fines remind us that when it comes to processing personal data, it is crucial to make sure you are being transparent about what you do with the data you process.
Society is becoming even more data-driven than before and while the 50 million euro fine issued to Google was the first to be issued under the GDPR, it certainly won’t be the last. As organisations continue to implement/rely on advances in technology, it is even more important to remember that the ICO continues to regulate the activities of business across the UK and the increasing awareness individuals now have of their renewed rights under the GDPR and DPA 2018. Making sure you adopt an ongoing compliance culture helps demonstrate accountability but also protects your organisation from financial risk and reputational fallout.