Lauren Posted April 26, 2018 Posted April 26, 2018 Following on from a forum question last week I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year. I have been using this document as the basis of this piece: Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525] Thing you need to know: GDPR stands for: General Data Protection Regulation The new regulation comes into effect from 25th May 2018 Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them! Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. You may also want to designate a Data Protection Officer. They will be able to advise you and check that you have done everything you need to. Not every setting will need this though - we'll come back to whether you do in post #11. This is what early years settings might like to think about in preparation. Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. Use the audit sheet provided in each separate thread to document the audit process Collate details into a 'To Do' list - make action plan Complete action plan! This is #12 of 12 threads which will help you think about what you need to do to be ready for 25th May 2018 and is about if your organisation operates internationally. International This section is mostly about identifying who your ‘Lead Supervisory Authority’ is if you’re processing data/have establishments in several different EU countries (known as cross-border processing). It’s a good idea for you to do this if that's you because it means that you'll only have to deal with one regulatory body rather than several and therefore only one set of rules and procedures. For those of you based in the UK and dealing with data subjects purely within the UK, this doesn’t apply to you – your regulatory body is the ICO. But, if you have several establishments across Europe or if you’re processing data that might significantly affect* data subjects based in other EU countries, then you need to have a think about where decisions regarding how and why you process data happen. If that all happens in one place, then your Lead Supervisory Authority will be the one for that country, but if you’re a multinational company and decisions are made in different places then you’ll need to record which branches are responsible for what. In these cases you will have to deal with the relevant supervisory authority for each processing purpose. If you aren’t based in the EU at all but you are processing the personal data of people in the EU, then you can’t just choose one supervisory authority. You'll need to have a local representative in every country where you have data subjects and you'll need to deal with each the regulatory body within each of those countries. In reality that doesn't mean you'll need an employee or a branch in each country, but rather a lawyer who will be able to represent you and be a contact point for the data subjects in that country. Whilst it’s not covered in the ICO 12 steps, the other obvious thing when it comes to the heading 'International' is transferring data outside of the EU, for example, to be processed in a branch of your company outside of the EU. This is allowed if you have a lawful reason for processing and the country you're sending it to has what's known as an 'adequacy rating', which is essentially the EU's way of saying this country has acceptable data protection laws. You should however, still be really clear with your data subjects about where their data is going. If you want to process the data in a country without an adequacy rating then it's quite a bit more complicated and is only allowed if you've implemented appropriate safeguards and you can be absolutely sure that your data subjects will still have all their rights. *significantly affect isn't actually defined in GDPR but this working party guidance describes how it might be interpreted and generally goes into this subject of lead supervisory authorities in more depth so it's worth a read if you're interested! http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf
Recommended Posts