Here is a summary of the IRMS London GDPR event that took place in August this year, written by attendee Clare George.
25 May 2018 is a date that all record managers will have been focused on for some time, but as an archivist, I must admit that I have only recently started to think about what my organisation needs to do before the GDPR comes into force in eight months’ time. The talk by Mark Taylor, a data protection lawyer, on preparing for the GDPR, provided an extremely useful introduction.
Mark began by explaining that the (EU-based) GDPR should be seen more as a philosophical principle establishing individual rights on data as a human right, rather than as a set of hard and fast rules. Applying the GDPR will require a good deal of interpretation and much will depend on the UK’s national guidelines, which are still being written.
The GDPR will be much more complex and the requirements much stricter than the current Data Protection Act. Penalties for non-compliance will also be much higher, and in contrast to the current situation, non-compliant data processors as well as data controllers will face sanctions. Organisations will need to show not just that they are complying, but also how and why.
Mark’s main focus was on implementing GDPR within organisations, for which he suggested a 6-step approach:
1) Lay the foundations by getting senior management buy-in, identifying key departments and ensuring that the necessary resources and budget are agreed.
2) Review in detail what your organisation does (what personal data is held where, what is done with it, where it came from etc: the entire lifecycle of the personal data you have)
3) Work out where the gaps are between where the organisation is now and where it needs to be. Use e.g. questionnaires or interviews.
4) Implementation proper. At this stage it is vital to think about how to train staff and raise awareness of GDPR throughout the organisation.
5) Consider the future, and to incorporate last-minute guidance from the ICO.
6) Monitor and maintain projects, and keep up with any changes which are introduced after May 2018.
Obviously all of this will entail a huge amount of work and a change in culture within most organisations. However, as Mark suggested, information managers can present GDPR preparation not simply as the challenge of meeting new externally-imposed requirements, but as an opportunity for organisations to improve their overall data standards and get their data systems into good shape.