Uncategorized

UK: GDPR Readiness Assessment Tool

A GDPR Readiness Assessment Tool is a checklist of compliance requirements imposed by the new legislation which will take effect on 28 May 2018. UK organisations should see that the assessment tool they use is specific to the country, as the Data Protection Act that will implement GDPR will be different than the transposition made in other countries.

What is a UK-localised GDPR Readiness Assessment Tool?

Organisations in the UK have had to always comply with the Data Protection Act of 1998. But the GDPR places far more extensive compliance burdens on organisations than the previous act, so it is extremely useful to have an assessment tool that goes right to the heart of the new responsibilities GDPR imposes.

There are a number of such tools currently available, but a UK organisation should be careful to use one that takes into account the specific country-wide regulations that the new Data Protection Act – which will implement the European Regulation – has added to the compliance picture.

GDPR in the UK will be quite different from that of Germany or Romania. Here are some specifics that the UK Information Commissioner’s Office (ICO) has already made public:

  • The Bill has a part dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards, but it has been amended to adjust those that would not work in the national context.
  • It also has a part that implements the EU’s Law Enforcement Directive. This is part of the EU’s data protection reform framework and is separate from the GDPR. The Bill has provisions covering those involved in law enforcement processing.
  • National security is also outside the scope of EU law. The Government has decided that it is important the intelligence services are required to comply with internationally recognised data protection standards, so there are provisions based on Council of Europe Data Protection Convention 108 that apply to them.
  • There are also separate parts to cover the ICO and our duties, functions and powers, plus the enforcement provisions. The Data Protection Act of 1998 is being repealed so it makes the changes necessary to deal with Freedom of Information/Environmental Information Regulations and how they relate to data protection.
  • In December 2017, the ICO announced a major consultation on the implementation of GDPR’s clauses regarding children and personal data. This strongly suggests that the UK law will be substantially different, with further development, than the GDPR framework in this regard.

Learn the 8 ways board directors should be preparing for GDPR right now or book a demo to find out more about how we can help.

How a GDPR Assessment Tool Works

The ICO provides an assessment tool, one that offers a different evaluation for data controllers and data processors – this is, of course, a key distinction in the GDPR. A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computers or in structured manual files. A data processor is anyone who processes personal data on behalf of the data controller, i.e., a data analytics service provider.

Thus, for the data controller, the ICO queries issues that include:

  • Information you hold.

Your business has conducted an information audit to map data flows? You should organise an information audit across your business or within particular business areas. This will identify the data that you process and how it flows into, through and out of your business. Your business has documented what personal data you hold, where it came from, whom you share it with and what you do with it.

  • Lawful bases for processing personal data.

Your business has identified your lawful bases for processing and documented them? The GDPR defines these, but you must explicitly declare which lawful base you rely on for legally processing data.

Your business has reviewed how you ask for and record consent by consumers for the use of their data? Your business has systems to record and manage ongoing consent? Consent is not always required. You should also assess whether the declaration of a lawful basis is more appropriate. Consent means offering people genuine choice and control over how you use their data. You should keep records of what an individual has consented to, including what you told them, and when and how they consented. You should tell individuals they can withdraw consent at any time and inform them of how to do this.

  • Consent to process children’s personal data for online services.

If you offer online services to children and you rely upon consent, only a child aged 13 or over will be able to provide their own consent. You will therefore need to make reasonable efforts to verify that anyone giving their own consent is old enough to do so. For children under 13, you will need to get consent from whoever holds parental responsibility for the child — unless the online services you offer are for prevention or counselling. You must make reasonable efforts (using available technology) to verify that the person giving such consent does, in fact, hold parental responsibility for the child.

Your business is currently registered with the Information Commissioner’s Office. Until May 2018, you are still required to register with the ICO (unless an exemption applies). After May 2018, you need to pay the ICO a data protection fee.

Diligent Boards Keeps Directors Up-to-date

To keep up with all of the information regarding GDPR, Diligent Boards keeps directors up-to-date.

Diligent Boards moves all of the agendas, documents, annotations and discussions of board meetings online into one intuitive, secure portal. The platform goes beyond digital board books to manage the full scope of a board’s moving parts — committees, contacts, voting, reporting and more.

With Diligent Boards, on-the-go directors will have more than iPad board meeting software at their fingertips. From a single sign-on (even for multiple boards), they’ll be able to work across devices (with real-time syncing) to: stay current with committee meetings and materials; communicate and annotate documents in tandem with other users and get notifications for updates; easily search archives and board resources; complete questionnaires and submit their votes and signatures any time of the day or night, from anywhere in the world, from their smartphone, tablet or laptop.

Featured Blog