Alison Johnston, lead policy officer for the Information Commissioner’s Office, urges charities not to panic about GDPR
I joined the ICO in January 2017 when the General Data Protection Regulation (GDPR) was over a year away and, despite being immersed in the world of data protection since then, I can’t quite believe that it’s now only three months until the GDPR comes into force on 25 May.
Just in case there’s anyone that’s not heard of the GDPR I’m going to use a quote from my favourite Disney film, Lilo and Stitch, to say “here, educate yourself!”
GDPR is an evolution, not a revolution. While there are new rights for individuals and responsibilities for organisations a lot of the current Data Protection Act (DPA) transfers over into the GDPR. For example, the data processing principles set out in the GDPR are similar to those in the DPA however there is a new accountability requirement which puts responsibility on an organisation to evidence their compliance.
There are also a lot of the same rights, they’ve just been enhanced so that we, as individuals, have more control over our data. You’ve probably seen the Right to be Forgotten under GDPR popping up, but did you know this right exists in the current DPA? The main difference, and this goes for other rights like restriction of processing, is that under GDPR individuals can exercise this right without a court order so organisations need to think about how they’re going to respond to these requests.
Now that we all know what the GDPR is, what can you do in three months to prepare? Firstly, don’t panic! Nothing has ever been achieved by blindly running around like your head is on fire. Secondly, don’t ignore it. Adopting the ostrich lifestyle and burying your head in the sand will not stop time from progressing and 25 May sneaking up on you.
So if you’re not panicking and not ignoring it, what are you going to do in the next three months? The good news is that the ICO has been working hard to produce guidance and provide support to help organisations prepare for the GDPR, and there is a lot of information available online.
The ICO has also produced 12 steps to preparing for GDPR, which will help you break down what you need to do to prepare for the GDPR and the guidance on our website will help you with the how.
Importantly, compliance is a constant process so think about what will happen after 25 May. What processes are you going to implement to monitor your compliance? How often will you review processes to ensure they are still effective?
If you haven’t had the opportunity to attend an ICO talk or workshop, we’re still out and about all over Scotland so keep an eye on your local events calendar. In particular:
• Shetland and Orkney – 26 and 27 March respectively. Contact the local Business Gateway for more details about our events.
• Dundee and Angus – In March we will be speaking at the Dundee TSI event and in April we’ll be talking at events for We Are ACK and Voluntary Action Angus.
• East Ayrshire – We will be returning to Kilmarnock in April with Volunteer Centre East Ayrshire to provide a GDPR update and a workshop.
• Aberdeenshire and Moray – This is short notice for this article’s publication but we will be speaking at events on 26 and 27 of February.
It can be difficult to find the right information so here are a couple of useful links for you:
• Getting ready for GDPR self help checklist
• Guidance on consent (including a checklist to help you ensure compliance)