Don't panic over the GDPR

Ben White, Issue 118/05, p14, 01.05.2018
Organisations need to show they are on the road to compliance
Museums are understandably concerned about the General Data Protection Regulation (GDPR), which comes into force across the European Union on 25 May. But despite the need to take these new rules seriously, there is no need to panic. It is important to remember that few organisations will comply with all the regulations by the May deadline – they just need to show they are on the road to compliance.

MPs are still debating the data protection bill, which does create some challenges because the details of UK implementation of the new data protection legislation remain unconfirmed. Given this, cultural organisations should ideally plan to implement the GDPR itself and, once the bill comes into law, revisit their activities.

After the Snowden revelations, and more recently Cambridge Analytica, and the public realisation that privacy is a limited commodity in an online world, there has been a huge rise in awareness of privacy issues. Organisations not only need to show how they use people’s personal information responsibly, but must protect themselves from the financial and reputational harms of non-compliance with data protection laws.

A common misconception around data protection law is that personal data relates only to sensitive information. This isn’t the case – it also regulates “simple” forms of personal data such as name, email address and phone number.

Data protection law places many obligations on organisations that hold personal data (“data controllers”) but the main activities that should be undertaken to prepare for the GDPR include:

  • Data security: Misconfigured settings, forgotten data stores and not keeping patches up to date are common issues that create vulnerabilities for data controllers. In short, staying on top of your data security should be at the top of your GDPR to-do list.
  • Information auditing: To comply with the GDPR, it is highly advisable to understand more about the personal data you hold and how you use it. Many organisations are therefore undertaking what is called an information audit on what data they hold and why, where, when and how they hold it.
  • Privacy statements: After an information audit, organisations should review their public-facing privacy statements. These need to be as easily understandable as possible. They should outline your specific legal grounds for using personal data with regards to named activities, why you are using personal information, where the data comes from and with whom it is shared, as well as your contact details and the types of personal data you hold. Organisations should also communicate to people their rights under data protection law.
  • Record keeping: The GDPR requires data controllers to create and retain information in certain situations and also to provide specific information to data subjects, for example when responding to subject access requests.
  • Time-sensitive activities: The period within which a subject access request has to be responded to is being cut from 40 days to a month. A data breach that is likely to cause damage or distress should be reported to the Information Commissioner’s Office within 72 hours.
  • Transfers of personal data, particularly beyond the EU: Data protection law has rules regarding exporting personal data beyond the EU, so any activities, such as collaborative research projects or use of cloud-based services, that involve personal data travelling beyond the European Economic Area will require additional checks and safeguards.
  • Training: An important principle of the GDPR is what is known as “privacy by design”. Staff need training on the fact that protecting people’s personal information should be at the forefront of what you do as an organisation.

The Information Commissioner’s Office has lots of free support to help you comply with the GDPR, including a self-assessment toolkit.

Ben White works in the cultural heritage sector and in his own time is involved in the Cultural Heritage Institutions Privacy Alliance

Comments

Sort by: Most recent - Most liked
Anonymous
09.05.2018, 22:15
Personal data and sensitive personal data are, however, treated differently.

Generally, public organizations appear to be having a collective nervous breakdown over GDPR. I found myself trying to explain to our Data Protection Officer as he shut down access to a server that archive images of people dead for more than a 100 years and inanimate structures such as objects, historic buildings and landscapes were unlikely to be of great concern to the Information Commissioner.