Under the new General Data Protection Regulation, that is due to replace the 1998 Data Protection Act in the UK as part of an European Union-wide reform, you will only need to report to the regulator the ICO personal data breaches. You will be required to report ‘without undue delay’ and where feasible within 72 hours after becoming aware of it. There will be no requirement to report to the ICO if the breach is unlikely to result in a risk to the rights and freedoms of the data subjects. You will have to notify the data subject without undue delay or ‘as soon as possible’ in high risk cases.
These are among the points made by Laura Irvine, Partner and Solicitor Advocate at BTO Solicitors at a recent ‘Tackling Violence Against Business’ conference. Slides of her talk, ‘Demystifying the GDPR’ are free to view on the NBCC (National Business Crime Centre) website.
She said that the GDPR is not the ‘Y2K bug’ all over again (an unfounded fear in 1999 that the turn of the millennium would cause IT to crash). You do not, she said, have to delete personal data if you have a good reason to hold onto it. All that said, she warned that compliance with GDPR is not about ticking boxes and it will carry on after the GDPR comes into force on May 25, 2018.
As for processing of criminal convictions or offence data, you must determine your condition for lawful processing of such data before you begin the processing, and you should document this, she recommended.
Visit: https://nbcc.police.uk/. Other documents on the NBCC website cover countering fraud, staff safety, cyber, and security-related management issues.
The ICO (Information Commissioner’s Office) also offers guidance, such as a checklist and ’12 steps to take now’, ahead of the GDPR becoming law: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr.
See also the March, April, May and June 2018 print issues of Professional Security magazine.
