Craft Focus - Dec 2017/Jan 2018 (Issue 64)

business advice craft focus 83 these notices and policies to your data subjects. The new GDPR requires you to clearly explain your reasons from processing data, and you must show individuals how to complain to the Information Commissioner’s Office if they think you’re doing something wrong. RIGHTS OF THE INDIVIDUAL GDPR aims to give individuals greater control over their personal data, which means businesses must review and amend existing policies where necessary to meet the requests of data subjects. Individuals now have the right to request data is edited or even erased, so it’s therefore important to introduce a procedure that can deal with such requests quickly and efficiently. Perhaps one of the key drivers for the changes, is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision- making and profiling. Having transparent procedures in place will go a long way towards heading off any future problems with the regulator, regardless of complaints or investigations. If your organisation already handles personal data correctly under the current Data Protection Act, the switch to the GDPR should pose no real problems. PREPARE FOR PERSONAL REQUESTS If an individual makes a subject access request, to see what information you hold on them, you must comply within a month. You can refuse to comply if you think the request holds no merit – but you must tell them why and that they can complain to the regulator. For SMEs, it will be more important to show a willingness to comply by trying to implement all the necessary steps and creating a data register, than to be fully compliant in May. NEVER ASSUME YOU HAVE CONSENT Handling and obtaining consent for personal data is one of the trickier aspects of the new GDPR. Individuals must give clear consent for their data to be used, but must be allowed to revoke consent easily at any time. If you change the way you want to use their data, you must obtain a new consent. Consent must be implicit and your attempts to obtain or confirm consent, will help mitigate any future problems at the hands of the regulator. KEEP REVIEWING AND KEEP RECORDING Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA) before beginning the project. These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen and should form part of your ongoing processes. Ensure you have a robust process for making the assessments and then record it, along with the outcome – a PIA is a simple step towards compliance, with the emphasis on what you do, rather than what you say you will do. MAKE SOMEONE RESPONSIBLE AND KEEP IT UP If you routinely monitor or process personal data on a large scale, you should appoint a data protection officer who understands the regulations and how best to drive your data privacy processes. It’s not just electronically held data that can pose a problem – you also need to consider written records, which are also covered by the regulations. Make sure all your staff are trained on the correct handling of personal data. The ‘Data Register’ will serve as proof for organisations who are defending themselves against claims of a data breach – not recording your progress could land you in hot water later down the line. Organisations that can prove they have made an effort to comply, even if they are not fully compliant with every aspect of the GDPR from the word go, will do better. Paula Tighe is a qualified data protection professional and leads the trusted advisor information governance service. Experienced in working with small, medium and large private and public bodies, Paula advises on a range of data protection issues, including training design and delivery, marketing, housing, project management and ICT security. Wright Hassall is a full-service law firm, advises clients across a variety of sectors including advanced manufacturing and engineering; food and agriculture; housing, development and construction; and gaming and digital media. To find out more visit their website wrighthassall.co.uk .