If your clients/policyholders have an ARAG policy and have
not yet registered to use > araglegal.co.uk , they could be
missing out on lots of useful information.
In addition to maintaining the law
guide and creating online legal documents for clients to customise to their own
circumstances, the team behind our Legal Services website also publish topical
Business Bulletins. Once registered with the site, customers can opt- in to
receive these.
General Data Protection Regulations
For this first blog I’ve extracted some content about the
General Data Protection Regulations from a recent business bulletin. Why not
send this to clients with a reminder of their voucher code and encourage them
to register on the Business Legal Services website to receive information like
this in the future.
Introduction
The Data Protection Act 2018 will implement provisions of
the General Data Protection Regulations (GDPR) into domestic law in the UK. The
Bill is currently bobbing along through Parliament and will be passed into law
to take effect from 25 May 2018.
GDPR: how to demonstrate accountability
GDPR imposes an obligation on those
who control other people's personal data. Data controllers must be able to demonstrate
compliance with 6 essential principles.
In summary, these principles are that
personal data must be:
1. processed lawfully, fairly and
transparently;
2. collected only for specified
legitimate purposes;
3. adequate and relevant, but limited
to what's necessary for your stated purpose for processing it;
4. accurate and kept up to date;
5. kept for no longer than necessary
for the stated purpose;
6. processed in a way that is secure.
What does it mean, in practice, to be
able to demonstrate compliance with these principles?
Most importantly, you must have
appropriate data protection policies and procedures. You may be a
very fair person and only ever process
data lawfully, fairly and transparently (as required by the
GDPR). But if you don't have policies
and procedures, you won't be able to demonstrate that.
You'll also have to be able to
demonstrate that you correctly implement your policies and procedures and that
you have effective compliance measures endorsed by the highest level of management in your business. You'll
also have to provide training so that all staff understand what it means to be compliant with data
protection principles, and you'll need policies for dealing with poor compliance and data breaches.
The Information Commissioner's Office
says that, where appropriate, appointing a data protection officer (DPO) is necessary
for demonstrating accountability. Businesses must appoint a DPO if their core activities
include: regular and systematic monitoring of
individuals on a large scale; or large-scale processing of information relating
to criminal offences or 'special categories' – i.e. sensitive information on 8
specific topics, such as racial origin or political beliefs.
We expect most SMEs will not have to
appoint a DPO. However, we'd suggest you choose someone to oversee data
protection anyway, to help you demonstrate accountability.
Article 30 of the GDPR describes the
records of data processing activities that you must keep. For
example, the record must include your
name and contact details, the purposes of the processing and
any recipients of the processing. In
effect, this amounts to a data protection audit.
If you employ fewer than 250
employees, you might not have to comply with Article 30. However,
the duty to be able to demonstrate
compliance applies to all businesses that control data, so if your
business does then we'd suggest you
conduct a data protection audit.
What this
means for you
If your business controls personal
information you must act fairly and in line with the principles of the GDPR.
You must also be able to demonstrate this. How you do that will depend on your
business and the personal information you control. At the very least,
appropriate data protection policies and procedures will help. You should,
however, also conduct an audit of the personal information that your business
receives and processes.
How we can
help
Our Privacy and cookie policy for a
website will help if you have a website through which you
capture customer information. We also
have an Employee handbook that instructs staff about the
data protection principles and their
obligations. Both documents are compliant with the current Data Protection Act,
but we're currently working to update them for the GDPR.
This Blog features legal content from Epoq Legal services,
creators of ARAG Business Legal Services.
Watch out for my second blog with some more extracts for
you/your clients on employment law updates.
No comments:
Post a Comment