GDPR – Getting Started
Getting ready for GDPR
The General Data Protection Regulation (GDPR), which imposes new and stricter obligations on expert witnesses who handle personal data, comes into force in May 2018. What should an expert do to get ready?
The first step is to look at the Information Commissioner’s Office’s (ICO’s) 12 Steps guide, and then to move onto their GDPR Guide, which is well organised and easy to read.
What most expert witnesses will need to do is:
- Conduct a data audit to determine what personal data (i.e. data covered by the GDPR) is held
- Write a privacy notice that explains their data processing
- Work out the legal basis for processing such data – for expert witnesses, that could be consent, but perhaps better is ‘legitimate interest’
- Be clear about whether relying on the consent obtained by those who instruct the expert is sufficient, or whether the expert needs to obtain consent direct from the individual
- Understand the rights individuals have to ‘their data’ (it’s covered in the ICO’s Guide) so as to know how to respond should someone make a ‘subject access request’.
In terms of data security, the GDPR imposes greater duties to prevent data breaches, and introduces potentially large fines. Expert witnesses should consider writing a data security policy setting out how they will ensure personal data is secure. Up to date computer security is obviously essential, as well as physical security for sensitive data. But experts should also think about how to protect such material when it needs to leave the office, either to travel to court or if it is backed up to ‘the cloud’. It’s quite clear that leaving paper files on trains, or unencrypted USB sticks lying around, will not be tolerated under the new regulations.