The 25 of May 2018 came and went without too much fanfare. In the months and years leading up to the deadline, GDPR was in the subject headings of thousands of emails, blogs and articles. Type 'GDPR' into Google and you get 12,700,000 hits. But what happened on the day? And how many people realised that the 25 May 2018 was not a "deadline" but the start of GDPR compliance?
Restore Digital's Sarah Shelton caught up with David Teague, Regional Director of Wales at the Information Commissioner's Office. Having co-presented a webinar about GDPR in the days leading up to the legislative "deadline", they got together once again to pause and take stock of what lessons have been learnt - and what still needs to be clarified.
Sarah Shelton: David, we thought it would be a good time now to catch up after the webinar and talk about some of the questions that have been coming in since that we could clarify for people.
David Teague: Yes, great. Always happy to clarify how GDPR affects people and organisations. We do a lot of myth busting!
SS: The feedback received was great, a lot of people are still interested in learning more about GDPR, have you found, like we found that there still seems to be some confusion about GDPR and the Data Protection Act 2018 (DPA 2018) being used interchangeably with people not quite clear where one ends and the other begins?
DT: Well Sarah, the Act is a piece of legislation specific to the UK and works alongside GDPR. While GDPR is an EU legislation, member states have the freedom to make provisions for how certain parts of it applies to their countries. So the DPA 2018 covers processing outside the scope of GDPR and provides the UK position on those aspects of GDPR that EU member states can specify. This is also important as the UK prepare for Brexit and leaving the European Union in the next couple of years.
SS: David, the ICO repeat the mantra that people are at the heart of GDPR. We know that it's about people having more control of their data but what does it mean for organisations?
DT: It is absolutely true that people are at the heart of GDPR. At the basis of all the new rules and behind the legislation is the fact that both the DPA 2018 and GDPR are about allowing people to take control of their own personal data. What it means for organisations is that people have control over how their data is being held and what is going to be done with it. So, from a consent point of view for organisations, contrary to popular belief you do not need to get fresh consent from all your customers to comply with GDPR. Some organisations' consent policies are already compliant with GDPR standards and there are some companies who have ongoing relationships with customers who do not necessarily need to get fresh consent.
SS: A lot of people say that GDPR and DPA 2018 is an overhaul of data protection policies, what do you say about that?
DT: DPA 2018 was necessary and timely. GDPR is not a major overhaul of how companies hold data - it was an evolution, not a revolution. The previous data protection regulation was published prior to the rise of social media, and the digital world we live in has radically changed since 1998, hence the need to revamp the regulations. As the Information Commissioner said, GDPR is a 'step change' for data protection.
SS: For those organisations concerned about potential data breaches and the implications of holding paper copies of information with sensitive data, we think that it's a good time to assess how data is stored. What should organisations do with paper files archived in boxes with no catalogue, i.e. no index of the data subjects and personal data held in the archive records?
DT: It may be necessary to hold paper documents, or it may be that you are considering digitalising and storing your data in an online document management system. Whichever solution you choose, it is important to consider if the method is compliant and if not, what steps need to be taken to ensure compliance and to understand the storage limitation principle, namely do not hold personal data for longer than you need it, developing a policy setting standard retention periods, reviewing the data you hold and being aware of an individual's right to erasure.
SS: Absolutely, we are definitely finding that organisations are finding it more effective to make the transition to online document management systems. While it sounds like an onerous task, scanning paper documents into digital form is actually a good way to keep your data together. The benefits of developing a digital system is that it stores information in one place, can provide mobile access for those working off-site and perhaps most importantly, it is a more secure way of storing data. Gone are the days of rows and rows of filing cabinets full of paper at risk of being destroyed, copied, misplaced or misfiled.
This leads into how important it is that companies know what data they are holding.
DT: Yes, one area where GDPR is making a potential impact is the need to know your data: knowing what information you hold about an individual, where it is stored, how long you have stored it for and is it information that you necessarily need to hold.
SS: GDPR has highlighted the right to individuals to make Subject Access Requests (SARs) and emphasised the importance of retention management, but haven't they always been a right under the Data Protection Act? What is the difference under GDPR?
DT: The difference is that now there is no change for SARs and organisations have a month to respond to any request.
SS: Great, thanks David for your time. As a company we anticipate that there will be an increased burden on data controllers and processors to respond in a timely manner to SARs within this time period. Because of this, we feel that it's sensible for organisations particularly in the Public Sector to be prepared and have systems in place that enables data controllers to efficiently locate and retrieve a requestor's data.
Having digital files catalogued ensures that an organisation can be confident when faced with an SAR and that they are able to retrieve all the data required and in a timely manner. Digital scanning solutions such as Restore Digital can also add an OCR (Optical Character Recognition) layer to documents which means that text within PDFs are readable and searchable so a data controller can be confident that a full search has been carried out.