Utility Week

UTILITY WEEK | 8TH - 14TH DECEMBER 2017 | 15 Policy & Regulation Market view I t is important that companies dedicate enough time to understanding the new General Data Protection Regulation (GDPR), and realise that achieving com- pliance is not going to be a quick and easy process. Key decision-makers must begin pushing through the necessary changes now to avoid punishment for non-compliance once it arrives. Despite the UK leaving the European Union, companies will still have to comply, and wherever the data comes from, if it is used, recorded, or processed in the EU, it must comply with the GDPR. Raise awareness and register it Start by recording the entire compliance process, making note of every significant change your business makes to its policies and procedures. Also known as the "data register", this record will show what data your company currently holds, as well as the reasons for processing it, which will help protect a busi- ness against claims that it has breached GDPR regulations. Rather than preventing you from doing things, GDPR compliance aims to improve processes and procedures by making them more efficient. Review existing digital and hard copy format privacy notices and poli- cies: are they concise, written in clear lan- guage, easy to understand and easily found? Finally, ensure all important information is clearly communicated to your data sub- jects, including details on why their personal data is being processed, and how individuals can complain to the Information Commis- sioner's Office if they are unhappy. Rights of the individual Post-GDPR, individuals will enjoy much greater control over their personal data, which means companies must adopt new effective procedures to handle requests quickly and efficiently. Data subjects can request their data be edited or even deleted, so it is crucial you can prove there are processes in place to deal with any such request. Perhaps one of the key drivers of the changes is the right of an individual to pre- vent their data being used for direct mar- keting purposes, as is the right to challenge and prevent automated decision-making and profiling. Having transparent procedures will miti- gate many potential future problems with the regulator, regardless of complaints or investigations. If your organisation correctly handles personal data under the current Data Protection Act, the change to GDPR should be no problem. You must comply within a month when an individual makes a subject access request, to see what information you have about them. If you think the request has no merit, you can refuse, but you must tell them why and how they can complain to the regulator. Never assume consent Handling consent for the capture and use of personal data for more than just contact is a tricky area. Individuals must give clear con- Data rules will get tougher The General Data Protection Regulation comes into effect next year, and it is critical that businesses start planning for its arrival sooner rather than later, says Paula Tighe. sent for their data to be used and be able to revoke consent at any time – if you want to use their data differently, you must obtain a new consent. How you attempt to obtain or confirm consent will help mitigate any future prob- lems at the hands of the regulator. Keep reviewing and recording Where data processing could pose a sig- nificant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a privacy impact assessment (PIA) before beginning the project. These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen and should form part of your ongoing processes. Ensure you have a robust process for making the assessments and then record it, along with the outcome. A PIA is a simple step towards compliance, with the emphasis on what you do, rather than what you say you will do. If your company handles data on a regu- lar basis, then it could be worth appoint- ing a dedicated data protection officer to oversee procedures and ensure your busi- ness is GDPR compliant. It does not have to be someone within your organisation. You might choose to appoint an appropriate indi- vidual on a part-time or consultancy basis. It is not just electronically-held data that can pose a problem; you also need to con- sider written records, which are also covered by the regulations – ensure all your staff are trained on the correct handling of personal data. Remember, recording the entire compli- ance process using a data register can be an extremely effective way of protecting your organisation, especially during the initial months of GDPR. Those businesses that are unable to prove they are actively making an effort to meet the new requirements are likely to suffer worse punishment than those who can. Paula Tighe, director of information governance, Wright Hassall Key points UK companies must comply with the GDPR if they do business with EU firms, regard- less of the UK's EU membership. Companies should undertake compliance testing now, before the GDPR comes into effect. In the future individuals will have more rights to edit their personal data, or ask for it to be deleted. Companies must respond to an individu- al's request within one month, or explain why a request has been turned down. Companies must obtain and confirm consent to keep an individual's data. Where data processing could pose a significant risk to individuals, a privacy impact assessment should be done.

• Cover