The latest version of the Standard has just been updated to align with the GDPR legislation of 2016 and the forthcoming enforcement date of 25th May 2018.
Copies can be bought from the BSI Shop here: BS 10012:2017 – Data Protection
As we all should be aware by now, the requirements on companies as Data Controllers and Processors are far more onerous in their obligations to their Data Subjects and therefore every company, regardless of your size and turnover, should be quite some way down their path to being as ready as possible for enforcement date.
Given the extensive coverage of recent hacks it is important to remember that Data is the most valuable asset a company has and doing right by that data is more pertinent than ever.
This BS 10012:2017 standard specifies what should be expected of PIMS (Patient Information Management Systems) and is aimed at ANY sized business and gives a steer on good practise and framework for maintaining and improving Data Protection.
I think Table B.1 of Annex B gives a good non exhaustive change comparison between the DPA Act now and what will be under the GDPR.
Have a read and ask yourself if your company is able to be satisfied that they are ready for GDPR? I think it is obvious that this is a cultural change and not an IT, Legal or Business focused silo’d activity. Think of PII ingress and egress points and what is done with it anywhere in between .. if you are going to do this right then you need that holistic root and branch thinking or you will fall foul of something !
- GDPR – Regulations apply to all EU member states.
- DPA- UK has the DPA 1998 which was derived from the 1995 EU Directive
The same rules for all companies, regardless of where they are established
- GDPR – Companies based outside of Europe have to apply the same rules when they offer goods or services into the EU market
- DPA – Non-EU based companies are not required to conform to UK DP laws
- GDPR – Fines of up to 4% of global turnover or EUR 20 000 000, whichever is the greater, can be imposed by the relevant supervisory authority
- DPA – Fines of up to GBP 500 000 can be imposed by the ICO
- GDPR – Supervisory authorities can issue a definitive or temporary ban on any processing of personal information
- DPA – The ICO can issue an enforcement notice
- GDPR – Processors have direct obligations and liability, and can be enforced against directly
- DPA – Processors are only subject to the contract terms of the controllers.
Data protection by design and default
- GDPR – Data protection safeguards have to be built into products and services from the earliest stage of development, and privacy-friendly default settings are the norm. Privacy impact assessments are mandatory in some circumstances
- DPA – No existing specific law/ regulation in the DPA, although good practice guidance exists
- GDPR – Companies have to record and maintain details of their data and processing activities
- DPA – A high-level description is notified to the ICO
Data protection officer
- GDPR – Large companies have to employ a specific DPO
- DPA – There is no equivalent requirement in the DPA
Right to erasure (sometimes known as the “right to be forgotten”)
- GDPR – Requests are considered on a case-by-case basis. When a legitimate request is received by a holder of personal information they are to delete the personal information (subject to there not being any legal reason requiring the personal information to be retained)
- DPA – Requests are considered on a case-by-case basis. This is a right that is usually exercised through the courts
More information about how data is used
- GDPR – Organisations are to provide natural persons with more information about how their personal information is processed, both when they are collected and when they reply to an access request.
- DPA – Organisations are to provide individuals with information on the data collected, purposes of processing, recipients and sources
A right to data portability
- GDPR – Natural persons have the right to have personal information transported between service providers
- DPA – There is no right to data portability in the DPA
The right to know when one’s data has been compromised
- GDPR – Organisations are to notify the national supervisory authority of data breaches which put natural persons at risk. Where appropriate, organisations are to communicate to the individual all breaches of high-risk personal information so that the individual can take appropriate measures.
- DPA – Material data breaches are required to be reported to the ICO for some public sector organisations Other organisations report voluntarily as best practice
Data breach reporting timescales
- GDPR – Data breaches are reported to the supervisory authority within 72 hours and to individuals as soon as possible
- DPA – Material data breaches are reported within a reasonable period of time