Organisations are now fully staffed for the first time in almost a month. While most people will be prioritising the unread items in their e-mail inbox and preparing a fresh “to do” list, priority should also be given to Data Protection, especially with the coming into force next year of the new General Data Protection Regulation (Regulation), containing higher standards than the current Data Protection Act 1998 (DPA).
We have devised the following 10 step Data Protection action plan for your organisation for 2017:
Make a New Year’s resolution to improve the Data Protection health of your organisation by undertaking a Data Protection audit. This will help to identify areas where your organisation needs to improve its Data Protection compliance to meet DPA requirements. If your organisation does not comply with the DPA now, it will struggle to adapt to the higher standards contained within the Regulation when it comes into force in May 2018.
When did your organisation last provide Data Protection training to staff? Even if staff were trained relatively recently, Data Protection is a dynamic area and much may have changed since then. If new staff are not provided with Data Protection induction training, think about putting this in place. When the Information Commissioner’s Office (ICO), the regulatory body for Data Protection in the UK, investigates an organisation, one of the questions it asks is if and when staff were provided with Data Protection training.
Review your organisation’s physical and technological data security measures. Do you have a visitor book at reception to record the entry and exit of visitors to your premises? Are you using antiquated Internet security software? If your organisation has not updated its data security measures in some time, consider what is currently available and the cost. If your organisation handles sensitive personal data relating to children, vulnerable adults, health or criminal convictions, then increased measures may be necessary to ensure that the data continues to be protected from emerging threats.
If your organisation is looking to introduce new IT systems, working procedures or technology into the workplace, it should first carry out a Data Protection impact assessment. As part of this, your organisation should identify the benefits to be derived from the introduction of the new systems, procedures or technology, such as increased efficiency and cost savings, and balance these against their potential privacy impact, for example, the use of a new technology could result in staff location monitoring if attached to a vehicle. The new systems, procedures or technology should only be implemented if they represent the least privacy invasive means of achieving the desired end. Otherwise, less privacy intrusive alternatives must be identified and considered.
A new year provides a prime opportunity for your organisation to revise its marketing strategy for the year ahead. If this involves targeting a new sector, then the direct marketing requirements contained in the DPA and the Privacy and Electronic Communications (EC Directive) Regulations 2003 must be complied with. In particular, unsolicited direct marketing communications must not be sent by e-mail or SMS, unless the recipient has provided prior consent to your organisation.
It might have been some time since your organisation last reviewed its notification to the ICO. Visit www.ico.org.uk and consider whether the notification register entry continues to accurately reflect the types of personal data that your organisation handles, what it uses it for and who it is shared with. If not, update the notification register entry immediately. Failure to notify changes to the ICO is an offence under the DPA.
Good Data Protection is good for business. But Data Protection is not just something that your organisation should be seen to be doing from the perspective of the outside world. It should be embedded in the culture of your organisation, too. As well as implementing appropriate policies and procedures, putting up awareness-raising posters and providing staff with desktop “top tips” documents, think about appointing an internal “Data Protection Champion”. This person would be responsible for fostering a Data Protection culture within your organisation, where Data Protection is viewed as an essential integral part of the business process than an unnecessary hindrance.
Make it a priority in 2017 to ensure that the personal data that your organisation holds is accurate and up-to-date. While this DPA requirement applies across the board to all personal data held by your organisation, two key areas are contact and personal circumstances information. One means of keeping this personal data up-to-date is to issue a communication to staff, suppliers and customers, asking them to check and update the personal data that your organisation holds on them. This can be done by either including the personal data held within the communication or providing online access to your organisation’s records.
Think ahead to the Regulation and the changes to be introduced to Data Protection law – the most significant reform of the law in over 25 years. Updates include a new transparency principle (requiring organisations to maintain detailed records of their data processing activities), higher standards of consent, new rights for individuals, requirement to notify data security breaches to the ICO and increased penalties for non-compliance. Organisations must not leave it too late and must start thinking now about the steps that they need to take to bring their Data Protection practices up to the Regulation’s standards.