Data controllers will find themselves subject to more stringent rules under new EU General Data Protection Regulation (GDPR) due to come into force May 2018.

The first step is to visit to the ICO's website - Information Commissioner’s Office to self-assess whether your organisation needs to be registered or not says Val Surgenor

The term “data controller” is used to describe any entity that determines the purposes and manner of data processing. This of course captures a huge number of organisations and companies operating in the United Kingdom – including many organisations operating in the third sector, in fact most businesses will be data controllers because of the client/donor and employee personal data they hold and collect!

Most data controllers should be registered with the ICO.

Current law, dictates data controllers bear the brunt of data protection compliance and have to evidence their compliance with the legal requirements (for example, making sure those third party fundraising organisations you utilise maintain adequate organisational security measures and this is recorded) and the position under the GDPR sees no relaxation of this and indeed you as a data controller will find that your organisation is subject to more stringent rules under the new regime.

Most noteworthy include:

  • A general requirement for greater transparency towards data subjects all the way from the content of privacy notices to the manner of processing itself, such as being more forthcoming about the rights of data subjects;
  • Increased requirements for consent to data processing, particularly in relation to sensitive data;
  • Being more mindful of the data subject’s age and potentially obtaining consent to the processing of a child’s data from an adult;
  • Tighter timelines to respond to data subject access requests;
  • Carrying out privacy impact assessments and appointing data protection officers;
  • Notifying data breaches to the ICO and also to individuals in the case of severe breaches;
  • Complying with the new rights that individuals have under the GDPR, including the right to be forgotten, the right to restricted processing, the right to data portability and the right to object to automated decision-making and profiling;
  • The obligation to pseudonymise or encrypt personal data as an additional security measure in certain circumstances; and
  • Maintaining records of data processing activities, such as the purposes of the processing and details of third parties to whom the data has been or will be disclosed (although, thankfully for data controllers, the requirement to register their data processing activities with the ICO will disappear).

What should be flagged up, though, is the requirement to implement a data protection policy, where this is proportionate to the controller’s data processing activities. This is part of the overarching requirement to ensure that the data controller’s technical and organisational measures are on par with the extent and risks of the relevant data processing activities as well as the rights and freedoms of individuals. For example, where data processing activities are extensive, a data protection policy should be put in place (and of course enforced) to ensure the processing will be considered lawful under GDPR.

A data protection policy helps to ensure that your employees are aware of the requirements you are faced with as a data controller and will provide practical tips (such as dos and don’ts) when it comes to their daily tasks. A data protection policy can also be incorporated into your agreements with data processors to ensure they are required to comply with the same standards that apply within your organisation

source val surgenor, macroberts llp 09.12.16