From May 25th 2018 all businesses need to ensure they comply with the new General Data Protection Regulation (GDPR) regulations. In this blog we quiz our Data Protection Officer Vincenzo Ardilio about GDPR, the role of the Data Protection Officer and how to ensure your practice is GDPR compliant.
What is a Data Protection Officer (DPO)?
It is an advisory and monitoring role. The DPO needs to have an in-depth knowledge of privacy law and understand the context of whichever organisation they’re working for. There are many myths surrounding DPOs, for example that they stop you from doing things. But really a DPO shouldn’t be doing that. The role is about helping the organisation to do what they need to do in a way that’s compliant with data protection rules.
My understanding is that only certain organisations need a DPO.
Yes that’s right. It is only the public authorities that need to formally designate a DPO and any other organisation whose core activities involve systematic, regular monitoring of people or that use of sensitive personal data. For example, a security company that runs a large public CCTV system would need a DPO. Accountants may not need a formal DPO but it would make sense to at least assign a data protection lead who takes responsibility for ensuring the practice complies with the regulations.
What role would the data protection lead play?
The data protection lead needs training to make sure they understand the regulations, and they’ll have to communicate this to staff in their practice. They need to have the necessary authority to make changes and advise the managers to implement these changes. Generally speaking, it is an education and awareness role. Whoever the lead is cannot be expected to ‘wave a magic wand’ to make the practice compliant on their own - it is the responsibility of everyone who deals with personal data.
What do you think are the biggest challenges facing practices dealing with GDPR?
I think the challenge for smaller practices is going to be navigating through the plethora of material that has been created by many GDPR ‘experts’. There are lots of myths around GDPR and data protection in general. I would advise them to go to the Information Commissioner’s blog which has a myth-busting section that will give them a sense of proportion on what the practice needs to do to comply.
GDPR builds on the existing Data Protection 1998 Act, but what are the most significant enhancements?
The enforcement regime is potentially a lot stronger with GDPR. In my view, the Data Protection Act 1998 is very vague in terms of transparency and the ‘right to know’. GDPR, on the other hand, actually lists what you need to include in your privacy notices and explanations.
In terms of other legal requirements, if a practice is relying on consent as their legal basis they’ll have to be on top of their record keeping. Consent is now active rather than simply not objecting. And consent can be withdrawn. Practices would need to think about how they can evidence consent and handle anyone withdrawing consent.
Another change is that processors are now liable for specific issues under data protection law. This is very good news for accountants who are ‘controllers’ and might have a number of other entities providing a service to them that use personal data. But it doesn’t take away the accountants’ responsibility to carry out due diligence and have the right agreements in place with these services.
GDPR is also clearer on security and the concept of privacy by design and default, which is now an explicit legal requirement rather than simply good practice.
For a small practice, some of the GDPR requirements can seem a little onerous. Would you agree?
I think it can be quite scary when you look at the regulation but its core is really about demonstrating the business is in control. I don’t think it’s unreasonable to expect any organisation that’s using personal data to know what they’re doing with that personal data and to know what they’ve got in place to protect that data and the privacy of the people they use information about. The Information Commissioner has some good advice for small practices on their website and even have an assessment tool for small businesses.
Will GDPR still apply after Brexit?
In short, yes. The RT Hon Matt Hancock MP stated in his foreword to the UK’s data protection bill overview:
Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR.
Keep an eye out for part 2 of our blog where Vincenzo Ardilio offers his expert advice on how to prepare for GDPR.