Many public authorities are well on the path to readiness for the introduction of the General Data Protection Regulation on 25 May, according to Fiona Killen, a partner at Anderson Strathern specialising in data protection, who works with a team of other data protection specialists at the company advising a range of organisations on compliance with data protection law.
“We are seeing a number of public authorities who are well positioned to be ready by May,” said Killen. “They have been doing information audits, developing information asset registers, and they have been looking at their privacy notices to ensure they can comply with fair processing requirements. We have also been involved in reviewing and revising a significant number of data sharing and data processing agreements for public bodies who share data with third parties.”
One of the challenges is that, under the GDPR, public authorities can no longer rely on ‘legitimate interests’ as a legal basis for processing data where they are doing so in the performance of their public authority tasks. “So, part of the work in preparing for its introduction has been in identifying what legal basis a public authority is going to rely on for the different purposes of processing data. They need to maintain a clear audit trail of decision making in relation to their legal basis for processing.”
Staff training is a key element of being ready, she said, from public facing personnel, to legal teams, right through to board level. Public authorities are required to appoint a data protection officer under the GDPR. “In some cases, they have been able to do that based on internal expertise,” said Killen. “Others may recruit, and some authorities are looking at a shared service provision.”
Whichever way public authorities decide to achieve compliance with the GDPR, they will need to ensure responsiveness in dealing with subject access requests and in meeting other new individual rights, such as the right to erasure. The timescale for data controllers to deal with subject access requests has been reduced in most cases from 40 calendar days to just one month, and the statutory £10 charge for processing a request will be abolished.
These factors, combined with the degree of publicity around introduction of the GDPR, could result in more requests having to be dealt with by data controllers within a shorter time-period.
“It underlines the importance of data controllers doing a good information audit, having a sound asset register on what they hold, where they hold it, why they process it, and who it relates to,” said Killen. “All these things will help them comply with the enhanced rights for individuals. If you don’t know what you hold or what you are processing in relation to someone, then at the point they exercise one of their individual rights in respect of that data, it’s obviously going to be difficult to turn that round in the timescale set out.”
The requirements around fairness – telling people what is being done with their data – will add to public awareness and increase the possibility of requests.
“Where we are seeing good practice is among organisations who have grasped this as an opportunity to address how much personal data they need to hold and what they are doing with it,” said Killen. “It’s a form of housekeeping, an opportunity for good records management, the recognition that, although they hold data, it is the personal data of the individuals and what those organisations do with it could have a direct impact on those individuals.”
GDPR’s processing principles and individual rights
- According to the GDPR, personal data must be processed in accordance with the principles of lawfulness, fairness and transparency.
- Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible to those purposes.
- A data controller or a data processor must also make sure to respect
the principle of data minimisation, meaning that personal data “shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they were processed”.
- Personal data must be accurate and, where necessary, kept up to date.
- Storage limitation, integrity, and confidentiality have to be respected. That is, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary and must be processed in a way that ensures security of the data.
- The GDPR maintains, “often reinforces”, and further develops the rights of the individuals, including the right to information, the right to be forgotten, the right of restriction of processing, and the right to data portability.
We need to shout about our successes. Liz Fletcher on celebrating women in biotech
Throughout my career in biotechnology and life sciences, I have seen many women leading ground-breaking research studies in their fields of expertise. Yet, and I include myself in this, we…
Getting the best out of patient data is key to unlocking future health benefits in Scotland
It is important that clinicians’ voices are heard in the consultation around Scotland’s new health and care data strategy, which closes this week (12 August). Busy GPs like myself are the trusted…
How motherhood helped me be a better leader
Consider this an open letter to anyone I have worked with before I became a mother and before I fully understood how being a parent is actually a prized asset…
‘We cannot achieve our goals without entrepreneurs’ – Kate Forbes on vision for new ‘tech scaler’ network
From the very start of my ministerial career, I have had responsibility for the Scottish tech sector – and I can still say what I have said from the start,…
Finding a role in cyber was ‘tough’ for Cheryl Torano. Now she’s determined to help other women join an under-represented industry
When I decided to upskill to change careers at the age of 30 and dive into the digital world, I knew I would be starting out at the bottom of…
Why innovation and marketing are the perfect partners to make changes that matter￼
With the rapid evolution of traditional marketing and the appearance of digital marketing, technology and innovation has become part of any marketer’s life without the need of working for a…
Transitioning to a four-day week – CEO’s vow to strike a healthier balance in the workplace
I came to Scotland nearly 20 years ago from Ireland, with no contacts but a lot of determination. While Ireland will always be my home, Scotland has given me amazing…
Women Lead: The female-led company championing intuitive working
Over the last two years, the pandemic forced a shift to more remote and flexible working practices. Whilst we might be seeing a “return to normal”, some companies are choosing…