How to check your supply chain is ready for GDPR
There has been a great deal of noise recently about GDPR – the General Data Protection Regulations – which come into force across the EU on 25th May 2018, regardless of Brexit.
Many organisations are only just starting their journey towards compliance, and there will be many who mistakenly believe that they are compliant, either because they have not fully audited the business or because they have assumed that compliance with the current Data Protection Act is sufficient after May 25th.
What does GDPR cover
GDPR has been introduced to protect the rights and freedoms of individual persons and their personal data and to allow free movement of data within the EU.
It covers all the personally identifiable data – i.e. any data relating directly or indirectly to any identifiable living person - held across the entire organisation, including debtors’ data for civil enforcement agencies. It also covers the security of that data.
It is not possible to write a complete guide to GDPR in one article – the legislation itself is 90-odd pages long – but here are some of the key points to check that your supply chain will be compliant by next May at the very latest.
Lawful purpose
Data controllers are a person, authority, agency or body which determines the purposes and means of personal data processing. An organisation which is a data controller must have a lawful purpose to hold and process the personally identifiable data. There are six categories of lawful purpose:
- Consent for specific purposes
- Contractual necessity
- Controller bound by legal obligation
- To protect vital interests
- Controller’s legitimate interests
- Public interest, official duty
Security of data
All data must be held securely and transferred securely. This will entail firewalls, encryption, robust procedures and a good deal of staff training.
Data breaches must be reported within 72 hours, so this might also mean putting in place systems that alert to a data breach, whether system-related, such as hacking or malware, or human error, such as sending data to the wrong person.
Data collection and retention
Organisations must only collect the minimum data set that they need to complete the purpose. You will have to justify to the ICO why you have collected data that you do not need. A tailor might need inside leg measurements, but probably no one else does!
Data must also not be kept for any longer than is necessary. The time frames are not specified. If there is a legal requirement to keep data for a certain time, say six years, then there is no breach by retaining it for that long, but if it is not destroyed in year 7, there will have to be a very good reason for keeping it.
Right to be forgotten
Under GDPR, data subjects have the right to ask for their data to be completely deleted. Organisations must have processes in place for subject access requests and to delete data when asked to do so. The exception to this would be if there was a legal or regulatory requirement to retain it.
Privacy notice
Privacy notices must be updated to cover what data is collected, how it will be used, under what legal basis it will be stored and processed, the retention period, individual rights and the right to withdraw consent at any time (where relevant) and describe any automated decision making.
Vulnerable debtors
GDPR introduces a new category of “sensitive personal data”, which includes physical or mental health or conditions, thus encompassing vulnerable person information.
The data subject’s consent is extended as an explicit requirement for certain categories of data, including health. This will impact all in enforcement as part of their duty of care to vulnerable persons.
Excel Civil Enforcement’s position on GDPR
Excel has achieved formal accreditation through the rigorous assessment of the British Standards Institute in several areas, including Information Security Management – ISO 27001: 2013, which helped us to be well-prepared for GDPR. (Note: our standards accrediting body has since changed to NQA)
We have already completed a full audit of the organisation and have almost completed all remedial actions, so that we will be compliant with GDPR in early 2018, well ahead of the deadline.