What will GDPR mean for safeguarding?Public and voluntary sector organisations will soon have to comply with a demanding new set of regulations relating to the storing and processing of personal data.
During recent Zurich Municipal customer day events, organisations expressed concern about how the introduction of the General Data Protection Regulation (GDPR) – which comes into effect on 25 May 2018 – would affect the way they record and retain information for safeguarding purposes.
Here, we explore some of these challenges, and look at ways to respond.
Safeguarding and GDPR – is there a conflict?
Keeping detailed and comprehensive records is fundamental to good safeguarding practice. Safeguarding is about protecting vulnerable people from harm, by putting their safety and well-being at the heart of decision-making.
Many organisations have safeguarding responsibilities, and it is important they understand how to execute these duties, and how their record-keeping may have to change after the introduction of the GDPR.
Existing data protection law – in the form of the Data Protection Act – stipulates that personal information many only be held for as long as it is necessary for the purpose for which it was originally obtained. GDPR goes further, however, by broadening the definition of personal data. It will also become more straightforward for individuals to access their personal data or ask for it to be erased.
At our recent forums, organisations voiced concerns about whether the GDPR will mean they are no longer allowed to keep personal data for as long as they do currently, and whether their reasons for processing it in the first place would be considered lawful.
However, while the GDPR will place greater emphasis on the need to justify the rationale for retaining personal information, organisations will remain compliant as long as they are able to demonstrate why it is necessary to keep this information for safeguarding purposes. The key question organisations must answer is: what is the lawful basis for holding this information?
The right to be forgotten
In relation to the rights of individuals to access their personal information – or request its erasure – one customer forum attendee posed this question: “What would happen if you sacked somebody in connection with a safeguarding incident, but you didn’t have any records to show why you’d taken that decision, because the data subject had asked for those records to be removed under GDPR?”
The ICO guidance
on this issue makes clear that an individual’s right to be forgotten is not absolute, and there are a range of circumstances in which an organisation may refuse to comply with a request to erase data. These include circumstances where the data in question has been processed for the purpose of exercising or defending legal claims, or for archiving purposes that are in the public interest.
The right to be forgotten could be a particularly significant issue for children, including those that have been in care, so it is important organisations are aware of the extra requirements the GDPR will put in place relating to requests to erase children’s personal data
Courts could have final say on GDPR?
Although the ICO has made clear that organisations can retain records for as long as there is a lawful reason for doing so, many attendees at our customer forums were of the view that there could be circumstances where their rationale for keeping personal information could be challenged.
“I don’t think this issue will be settled until it goes before the courts,” said one.
Several other attendees also pointed out that insurers will typically ask for records to be retained for as long as possible to aid claims defensibility.
This presents another challenge for organisations: even if you have a lawful reason for retaining information, where do you store it all? Customer forum attendees described the mammoth logistical challenge of digitising their archives in order to store records, some of which go back several decades.
How are organisations responding to GDPR?
While there are no easy answers to the challenges outlined above, it is clear that public and voluntary sector bodies are aware that GDPR must be addressed at the highest level within their organisations.
Forum attendees said their organisation’s senior managers have been involved in all key decisions relating to GDPR, while others described how their organisations have set up GDPR project teams to untangle some of the crucial issues.
One said: “GDPR isn’t an IT issue, or a records issue – it’s an organisation-wide issue. I have heard of some companies leaving GDPR to their IT departments, which is amazing when you consider how complex a challenge it is.”
Organisations are also realising that it is more important than ever to have straightforward processes for tracking how personal data is used. One customer forum attendee described their organisation’s system for categorising different types of data.
“We group information into Public, Internal, Confidential, and Strictly Confidential, and this framework helps us to decide how we should retain information,” they said.
Customers also described how they use Privacy Impact Assessments
to try to reduce the risk of harm to individuals through the misuse of personal information.
Preparing for GDPR
Recent News and Views articles have offered helpful information on how to ready yourself for GDPR.