25 May 2018 is a date stamped on every company calendar as this is the date when the General Data Protection Regulation 2016 (GDPR) comes into force. The GDPR is EU law that will underpin data protection and privacy for all individuals within the European Union and will supersede the current Data Protection Act 1998.
The Cambridge Analytica and Facebook exposures are significant examples of what can happen when appropriate safeguards are not put in place. This is not the first large scale personal data breach that the Information Commissioner’s Office has had to investigate in recent years and the challenges are increasing.
The changes being introduced by the GDPR seek to bring privacy and protection of personal data into the 21st century by tackling challenges posed by society that were not present in the past – including those associated with the rise of “big data” and social media. The legislation brings with it the risks of substantial fines for companies, far more than those that have been issued for breaches of the Data Protection Act.
For anyone processing personal data it is necessary to ensure that they are doing so lawfully. The processing of personal data includes the collection, analysis, storage, publication, sharing and deletion of such data. At its heart the GDPR requires privacy by design, adhering to certain key principles of fair processing. At Lichfields we have reviewed all our policies and processes to ensure that we comply fully with the new regulation.
One of the most important areas of our work involving the processing of personal data is through our consultation and engagement services. We know how important good consultation and engagement with local communities is for many development proposals, and this typically involves the processing of some personal data.
Our clients will be comforted to know that we already have robust procedures in place for processing personal data as part of our
Smarter Engagement offer. Whilst there will be some changes to respond to the GDPR, most of our current policies will remain unchanged, as we already adopt the key principles behind the changes, including:
- Only collecting personal data where it is necessary;
- Only processing personal data in accordance with the consent given at the time the data was collected;
- Securely storing personal data and restricting access to it; and,
- Disposing of the personal data once it is no longer needed.
In addition, we now have a new data processing contractual agreement which we will use to protect our clients’ interests. The changes under the GDPR place additional responsibilities on our clients as a data controller. By following our procedures and using new contractual agreements we will protect our clients from fines for breaches of the GDPR and loss of reputation.
Where the collection of personal data is necessary for any project, we will be discussing the implications of this with you. However, in the meantime, if you do have any questions we will be pleased to discuss them with you, as we know how important it is for you and us to comply with the new data protection legislation.
