The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. The regulation is an attempt both to harmonise data protection law across the European Union and to take account of the technology advances that have changed how organisations store and process personal data.
In common with other organisations, the Improvement Service is working hard towards ensuring it complies with the new regulation. This is essential both to protect the privacy of individuals and to manage risk to the organisation as a business entity in its own right. It also helps to build trust amongst our partners and the public.
We've been busy developing a GDPR-Readiness Plan covering the products and services within the Improvement Service's wider portfolio, including myaccount, Data Hub and the National Entitlement Card. The plan's structured around four broad themes:
It's a complex undertaking so we've engaged specialist external legal counsel, Thorntons Solicitors to help out. We've spent a lot of time making sure we understand who the Data Controllers and Data Processors are in our different services, what our purposes for processing personal data are and what the legal bases for processing might be. We also need to make sure that all our agreements, terms and conditions and privacy notices reflect this. Template documents are already in draft and we're currently discussing them with a small number of partners across local government and health. We expect to release them for wider discussion and adoption from mid-March onwards. We're also discussing existing contracts with our suppliers to make sure they in turn meet their obligations.
So taking just one of the products within our portfolio, myaccount, what does this mean? We've completely reviewed and overhauled our privacy notices and terms and conditions for account holders and developed new agreements for our partners. We're also working on technical changes to the underlying myaccount system to bring it into line. Obviously, we're doing everything we can to ensure there's no interruption to business and little impact on account holders. We won't be asking anyone to re-register. Once we've made the changes to the system, we'll just ask account holders to accept the new arrangements next time they log in.
GDPR is not a simple tick box exercise for us though and the work doesn't stop on 25 May. We've also reviewed our induction and development processes to reinforce our commitment to privacy by design. That means a bit more formality around threat modelling and data flow analysis and making sure we build robust risk and security management in to our systems as early as possible.
In summary, changes are afoot as the Improvement Service puts in place the steps necessary to maintain regulatory and legislative compliance, to protect individuals' privacy and manage risk to the organisation. Critically, as we prepare to make these changes, it will be business-as-usual, continuing our plans to bring new customers and services on board, and anticipating no service disruption for service providers or account holders alike as we comply with GDPR.