€The General Data Protection Regulation is a hot topic, not just in archives and records, but across organisations throughout Europe. The SfNP thought it might be useful to provide an overview of what the new regulation is, why it is relevant to new professionals, and what you can be doing in your role to prepare for GDPR.
GDPR will replace date protection legislation across Europe from May 2018. In the UK we will have the Data Protection Bill which will replace the Date Protection Act 1998 (DPA) in the UK. DPA brought in rules on the use of personal information and the creation of Subject Access Requests among other rules to protect an individual’s data. GDPR looks to expand on the foundations of data protection. Once the UK leaves the EU we will continue to follow GDPR through the Data Protection Bill. This currently looks to mirror GDPR and is going through the Houses of Parliament. For this article I will discuss what we currently know about GDPR and provide links and tools relating to the legislation.
What do we currently know about GDPR?
- Organisations will become more accountable for their use of personal information.
- Larger fines for data breaches which could be up to €20 million (or 4% global turnover)
- The Information Commissioner’s Office (ICO) must be notified within 72 hours of a breach, and notification will likely affect the size of the penalty
- The individual now has further specified rights over their data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
- Processing of personal data must be documented and only kept for the use of the original purpose of collection. Retention schedules will be key in identifying personal information and how it is retained and used, and they will show whether records with personal information within will be archived
- Subject Access Requests will change:
- Organisations can no longer charge to process requests, unless the organization can prove it is an excessive request
- The request must be answered within one month of receipt
- Changes to the rights of children which specifies how consent and processing of personal data changes by different age categories
- Privacy by design – the new rules include a need for proof of consent, processing notes and Privacy Impact Assessments (PIAs). These enable organizations to continue to process data but now they need to actively protect sensitive data and manage it.
- Archives are specifically mentioned a number of times and are promoted as a tool for accountability. Archiving purposes in the public interest (APIPI) is the key term used in the legislation.
Why should new professionals be interested in GDPR?
The new legislation is great news and an opportunity for record keepers. GDPR puts a spotlight on the importance of record keeping and even puts into consideration how archives currently use personal data; for example, the right to be forgotten cannot be applied to archival records. Records managers are at the forefront of the work needed to be done in preparation of GDPR. However, GDPR emphasizes the need to make personal data findable and a key skill in record keeping are creating finding aids, e.g., Information Asset Registers, Retention Schedules and Archive Catalogues. Having detailed finding aids demonstrates compliance.
GDPR should empower you in the skills and training you are bringing to your role and organization; the legislation is an opportunity to show a greater impact of our profession and importance in the workplace. The positioning and the inclusion of the activity of archiving demonstrates an acknowledgement of the importance of archiving and protecting archives. Policies for your organization or repository, e.g., for collecting records, destruction of records and cataloguing are now even more valuable and can be used as advocacy to your managers and stake holders.
GDPR will impact on archival processes which were highlighted recently at the ARA and UCL GDPR Symposium. The event brought up the issues to consider in how we handle personal data from researchers, enquiries from the public, and how long we need to retain the information provided when accessing repositories.
As a final note, I would encourage all readers to look into training and events on GDPR and pursue getting to grips on the changes. This legislation will be impacting us beyond May 2018 and a lot will change between now and then, and then huge changes will occur once the bill is challenged in legal proceedings. Please feel free to comment with any additions you would recommend to the resources below.
Resources for learning and preparing for GDPR
- https://ico.org.uk/ The ICO website is the number one place to find any information regarding changes and updates to the legislation
- The ICO Guide to the General Data Protection Regulation (GDPR). For more in-depth information on GDPR and the Data Protection Bill.
- Most law firms are offering guidance on how to prepare for GDPR and many specialist including Paul Gibbons – www.foiman.com and https://www.foiman.com/foiman-blog
- Information Commissioners Office – Consultation: GDPR consent guidance March 2017 – this guidance provides more information on consent in GDPR.
Sara Brimble, Chair, Section for New Professionals
This post was updated on April 17, 2018