In this series of articles I will be looking at the new data protection regulation (GDPR) that come into force in the UK and Europe in the spring. I will be examining how GDPR will affect the development and design of organisational information to comply with the GDPR's "data protection by design" requirement.
On the 25th of May 2018 the ICO will begin to actively enforce the existing GDPR in the UK. Although much of the regulation is similar to the existing Data Protection Act (DPA) there are some important differences that mean your organisation's approach to Data Protection will need to be reviewed in time for the regulations to come into force.
The Information Commissioner's Office (ICO) has much useful documentation on the matter, including a 12 step guide to preparation (link to PDF at bottom of page). The guide itself mentions that many trade associations and bodies are working closely with the ICO to gain and spread information across all industry sectors.
Whatever sector you're working in, the GDPR is certain to impact on the way your organisation processes data, and most of that processing is likely to be carried out via a bespoke or "off the shelf" information system. Reviewing your information systems for GDPR compliance appears to be a daunting task. It is certainly the case that the task of becoming compliant should not be skimmed over or taken lightly.
The ideal compliance review would be as short as necessary, whilst leaving you confident that your systems and organisational documentation would stand up under scrutiny. To maximise the value for your available review time it would seem like a good idea to get up to speed with the expectations of the ICO and to consult with the relevant trade bodies in your area.
Those two tasks should ideally be carried out in that order, your review of ICO documentation being used as a prompt to generate questions you might put to the trade bodies in question. It's a good idea to also look for GDPR events in your area. The new regulations have not yet been tested in court, which makes the task of checking your own processes a matter of assessing, and then minimising, risk.
At this stage the objective of your review processes should centre on the question "Can I demonstrate I have taken appropriate measures to comply with the regulations?" Wherever it could be argued that you may fall short of this is where action needs to be taken.
In the next article in this series I will be looking at the important additional concepts brought to bear with regards to the notion of data being handled by controllers and processors; and what that could mean for the future development roadmap of your information systems.