New EU rules on data protection are set to come into force in 12 months’ time – but taking action now can help you get prepared.
There are some major regulatory changes coming soon that will affect the construction industry – and there are some practical measures your organisation may need to implement over the next year.
On 25 May 2018 the European Union’s General Data Protection (GDPR) will come into force and radically change the rules on data protection within the UK.
The rules on data protection are important to all organisations (not just techy ones) and will apply to your organisation if you store, share or otherwise use personal data (think employees, customer data, supplier data to name a few).
Why should you care?
- High fines The fines for non-compliance with the GDPR will greatly increase from the current penalty (£500,000) with a maximum fine of the higher of €20m or 4 per cent of an organisation’s total worldwide turnover. Information Commissioner’s Office head of regions Ken McDonald has made clear that the ICO (regulator in relation to data protection in the UK) expects organisations to be ready for the changes by May 2018: “The GDPR takes effect in May 2018. If you haven’t already done so, you need to start preparing for it now, not this time next year.”
- Tenders It is reasonable to expect that come May 2018 (or even before then) public authorities will expect tenderers to demonstrate compliance with the GDPR in order to tender for public sector contracts. Therefore tenderers have a business interest in being able to provide a credible description of the measures that have been taken in response to the upcoming changes under the GDPR.
- Customer data You will hold data in relation to the parties you are working for, including public sector customers. Your customers will want to know how you are processing their data, and that you are doing this in a way that is secure and compliant with the GDPR.
The good news is that you have 12 months to prepare and the first step is awareness of the GDPR.
Step two is preparation. Appoint someone in your organisation to lead these preparations – planning ahead over the next 12 months means you will have the opportunity to resource the required actions from your team as workloads permit.
The ICO has published a helpful 12-step guide to assist businesses which we have summarised: ICO’s 12 Steps Checklist: How to prepare for EU Data Protection peforms).
What you should do
Below we have outlined some of the key actions your organisation should be taking:
- Information audits and privacy impact assessments (PIAs) Carry out detailed assessments of your organisation’s data-processing activities. This will help you assess what data you hold (you may be surprised how much personal data is kept – now would be a good time to find out), what procedures comply with the GDPR and what requires updating.
- Policies and statements Review your organisation’s privacy statements and policies as well as reviewing data collection forms and other consent mechanisms to ensure compliance with the upcoming changes.
- Data-processing agreements Where you are a controller in relation to personal data held and you appoint a processor to carry out certain functions or services for you (eg payroll activities, confidential waste management, your subcontractors, etc) you must to have a written data-processing agreement in place setting out certain key provisions.
- Data protection officer (DPO) Where required, appoint a DPO. This will be an important role for the organisation in terms of ensuring compliance with the GDPR. Appointing your DPO sooner rather than later will give the DPO an opportunity to understand what his/her role involves before the new laws become enforceable.
- Training Make the GDPR reforms known to key people in your organisation (eg those who supervise or make decisions).
Valerie Surgenor is a partner at MacRoberts