organisations will have for processing personal information under the GDPR. Consent is one way to comply with the GDPR, but it’s not the only way. The new law provides five other ways of processing data that will in many cases be more appropriate than consent for public bodies. If you do need to rely on consent for any processing, the GDPR is raising the bar to a higher standard for consent. Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it. Myth: All personal data breaches will need to be reported to the ICO. Fact: It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms. So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report. Under the current UK data protection
Many of the GDPR’s main principles are the same as those in the Data Protection Act. So, if you’re complying properly with the current law, then most of your approach to compliance will remain valid under the GDPR law, most personal data breach reporting is good practice but not compulsory. And although certain organisations are required to report under other laws, like the Privacy and Electronic Communications Regulations (PECR), – mandatory reporting of a personal data breach that results in a risk to people’s rights and freedoms under the GDPR will be a new requirement for many. The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved. Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers. And organisations need to remember that if there’s the likelihood of a high risk to people’s rights and freedoms, they
Compliance is a difficult subject. Sometimes perceived as a necessary evil. Sometimes perceived as something to be managed only as and when it comes up. Take the forthcoming General Data Protection Requirements for example. Many believe they are too small to be impacted, many believe there is no need to be concerned. Many may be surprised to learn that many may not be as correct as they assumed. This is because data protection applies to every organisation. Big or small, high risk or not, every organisation needs to be compliant.
Data Protection
IT & COMPUTING FOR THE PUBLIC SECTOR– www.governmenttechnology.co.uk
will also need to report the breach to the individuals who have been affected. We’ve provided some initial guidance in our GDPR overview that high risk situations are likely to include the potential of people suffering significant detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage. If organisations aren’t sure about who is affected, the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk. Our main aim is to help organisations get it right when it comes to using personal data – and that includes preparing for GDPR. There’s a wealth of material on our website to help. L FURTHER INFORMATION www.ico.org.uk
DOCUMENT MANAGEMENT FOR THE PUBLIC SECTOR
selufen believes there is a smart way to manage this compliance and we want to make this manageable for your organisation. We look to integrate the data protection processes with the processes involved in an organisation’s existing information security or quality management systems. This is great for you because compliance becomes an integrated activity, personnel simply continue with their usual tasks because they understand their role in compliance, your stakeholders are secure in the knowledge that you are aware of your risks and opportunities in a clear and resilient way.
• Document storage, collection and retrieval services
• Shredding Services
• Bulk Scanning
• CCTV, fire and intruder alarms
Of course, compliance is still a difficult subject but with selufen’s approach, compliance can be considered a problem solved.
Call or submit your quote request via our website
0044 (0)20 3291 3281 | solution@selufen.com | www.selufen.com
• Free destruction date planning
Quote GBM2017 for preferential public sector discounts
0808 163 3341
info@accessrecordsmanagement.co.uk AccessRecordsManagement.co.uk
Volume 15.6 | GOVERNMENT TECHNOLOGY MAGAZINE
77