Government reforms (1): Data protection – GDPR guidance

What do we already know?

We have been regularly updating you about the new General Data Protection Regulation (GDPR), which was introduced on 25 May 2018 and replaces the EU Data Protection Directive and the Data Protection Act 1998.

For further detail see our updates here.

What’s new?

Just in case you’re still finalising your GDPR compliance (!), you may find the following guidance from the Information Commissioner’s Office (ICO), European Commission and ACAS helpful:

1. Self-assessment toolkits

The ICO has published a series of data protection self-assessment toolkits (available here) to help employers comply with their legal obligations when they collect, process and store personal information.

Toolkits include a self-assessment checklist for data controllers, data processors and information on creating a cyber security and risk policy and record management procedures.

Once completed, users will receive a report which details the practical steps they should take to improve their data protection procedures.

2. Guidance on consent

The ICO has published the final version of its guidance on consent (available here).  The guidance is intended to sit alongside the ICO’s Guide to the GDPR (available here) and provide further detail on consent and when it should be relied on as a lawful basis for processing personal data.

The guidance considers:

• The differences between consent under the Data Protection Act 1998 (DPA 1998) and under the GDPR and Data Protection Bill 2017-19.
• Why consent is important.
• When consent is appropriate.
• What is valid consent.
• How should consent be obtained, recorded and managed.

3. European Commission Guide on GDPR

The European Commission has published a simple “Seven steps for businesses to get ready for the General Data Protection Regulation”, available here.  This is aimed at companies that do not handle data as a core business activity but still deal with personal data.  For example, those that deal with data concerning their employees or clients.

Key steps outlined in the document include:

• informing customers, employees and other individuals when their data is being collected;
• keeping any data for only as long as is necessary; and
• ensuring that any data being processed is securely stored (physically or on an IT system).

4. ACAS guidance on GDPR

ACAS has published new guidance on the GDPR and what it will mean for employers, available here.

The guidance is made up of a series of questions which cover key issues such as:

• Who does the GDPR apply to?
• What is personal data?
• How can employers comply with the regulation?

ACAS also urges employers to contact them using its helpline if they have any questions about the guidance.