Organisations are now fully staffed for the first time in almost a month. While most people will be prioritising the unread items in their e-mail inbox and preparing a fresh “to do” list, priority should also be given to Data Protection, especially with the coming into force next year of the new General Data Protection Regulation (Regulation), containing higher standards than the current Data Protection Act 1998 (DPA).
We have devised the following 10 step Data Protection action plan for your organisation for 2017:
Make a New Year’s resolution to improve the Data Protection health of your organisation by undertaking a Data Protection audit. This will help to identify areas where your organisation needs to improve its Data Protection compliance to meet DPA requirements. If your organisation does not comply with the DPA now, it will struggle to adapt to the higher standards contained within the Regulation when it comes into force in May 2018.
When did your organisation last provide Data Protection training to staff? Even if staff were trained relatively recently, Data Protection is a dynamic area and much may have changed since then. If new staff are not provided with Data Protection induction training, think about putting this in place. When the Information Commissioner’s Office (ICO), the regulatory body for Data Protection in the UK, investigates an organisation, one of the questions it asks is if and when staff were provided with Data Protection training.
Review your organisation’s physical and technological data security measures. Do you have a visitor book at reception to record the entry and exit of visitors to your premises? Are you using antiquated Internet security software? If your organisation has not updated its data security measures in some time, consider what is currently available and the cost. If your organisation handles sensitive personal data relating to children, vulnerable adults, health or criminal convictions, then increased measures may be necessary to ensure that the data continues to be protected from emerging threats.
If your organisation is looking to introduce new IT systems, working procedures or technology into the workplace, it should first carry out a Data Protection impact assessment. As part of this, your organisation should identify the benefits to be derived from the introduction of the new systems, procedures or technology, such as increased efficiency and cost savings, and balance these against their potential privacy impact, for example, the use of a new technology could result in staff location monitoring if attached to a vehicle. The new systems, procedures or technology should only be implemented if they represent the least privacy invasive means of achieving the desired end. Otherwise, less privacy intrusive alternatives must be identified and considered.
A new year provides a prime opportunity for your organisation to revise its marketing strategy for the year ahead. If this involves targeting a new sector, then the direct marketing requirements contained in the DPA and the Privacy and Electronic Communications (EC Directive) Regulations 2003 must be complied with. In particular, unsolicited direct marketing communications must not be sent by e-mail or SMS, unless the recipient has provided prior consent to your organisation.
It might have been some time since your organisation last reviewed its notification to the ICO. Visit www.ico.org.uk and consider whether the notification register entry continues to accurately reflect the types of personal data that your organisation handles, what it uses it for and who it is shared with. If not, update the notification register entry immediately. Failure to notify changes to the ICO is an offence under the DPA.
Good Data Protection is good for business. But Data Protection is not just something that your organisation should be seen to be doing from the perspective of the outside world. It should be embedded in the culture of your organisation, too. As well as implementing appropriate policies and procedures, putting up awareness-raising posters and providing staff with desktop “top tips” documents, think about appointing an internal “Data Protection Champion”. This person would be responsible for fostering a Data Protection culture within your organisation, where Data Protection is viewed as an essential integral part of the business process than an unnecessary hindrance.