Despite Arctic weather conditions outside, a seminar on the imminent launch of the General Data Protection Regulation (GDPR) in London’s iconic Goldsmiths’ Hall drew a packed audience.
Ardi Kolah, founder of data consultancy GO DPO®, Editor in Chief of the Journal of Data Protection & Privacy and Director of the GDPR Transition Programme at Henley Business School, alongside Richard Preece, outlined the practical aspects of the new regulation, exploding a range of myths surrounding its introduction and involving the delegates in two interactive exercises aimed at stimulating discussion around the risk levels associated with data collection, use and storage.
“We’ve all seen the potential penalties for data breaches and naturally, everyone wants to avoid them,” noted Ardi, “but our starting point has to be respect for the individual and building digital trust through best practice.
“GDPR is here to stay and even if you believe you are processing personal data for a ‘legitimate interest’ you will need to consider whether there other more appropriate legal grounds for using that personal data – such as consent from the individual. That consent, under the GDPR, needs to be unambiguous and expression of their wishes.
“It’s wrong to assume that because someone’s personal details are in the public domain they’ve given you unfettered permission to you to use this information in any way you like.
“Although if such personal information is in the public domain, it will be ‘low risk’ in terms of potential harm or damage that could occur to that individual, but the risk is still there. For example, a photograph of someone contains metadata of the time and place of when that photo was taken, and the dietary requirements of a member or guest will be health information that automatically attracts a higher level of data protection as it’s a special category of personal data.
“In such circumstances, this will require explicit consent from the individual in order to be processed. The rule of thumb is always to seek unambiguous or explicit consent in the context of processing this type of personal information.”
Addressing questions from the audience, Ardi confirmed that Data Protection Officers (DPOs) will be required in larger organisations, and suggested that smaller companies should outsource or share this function.
“Clear policies and procedures must be put in place so that you can demonstrate the actions you’ve taken, or intend to take. The ICO doesn’t expect 100% compliance from day one, but you would be well advised to limit internal access to data to key personnel, and be able to show that transparency, accountability and control are evident in all your processes – and those of any third parties with whom you work.
“So don’t panic. Understand the principles, identify the biggest areas of risk, and be aware that one of those is the risk to your own reputation. By doing the right thing, you can enhance it greatly.”
The 7 principles of processing personal data
1. Lawfulness, fairness and transparency
2. Purpose limitation – collecting data only for explicit and legitimate use
3. Data minimisation – only holding and using what is relevant and necessary
4. Accuracy – keeping data up-to-date
5. Retention – maintaining data in an identifiable format
6. Integrity and confidentiality – keeping the data secure
7. Accountability – demonstrating compliance with the GDPR.
At Henley, fifteen types of data have been identified, based on the level of risk. Information deemed to be at the highest risk levels includes medical records, data which could cause reputational damage to individuals or organisations, or any which could involve or lead to discrimination, identity theft or financial theft.
Find out more about the GDPR Transition Programme at Henley and how it can benefit you and your organisation.