The event began well with savoury nibbles, cakes, biscuits, drinks
and time for the early arrivals to shake off their journeys and chat if they wanted
to. Having arrived a few minutes early
courtesy of train timetables I was one of the first to arrive and received a
warm welcome from one of the Thames Valley committee members. The event was advertised to begin at 7pm
although the talk did not start until after half past which allowed time for
late arrivals and for some networking to take place. Shortly after 7:30 we were ushered into a
small lecture theatre to discover more about copyright and GDPR.
Naomi began with some of her background and her passion for
both copyright compliance and GDPR data protection became immediately
apparent. She was keen to inspire her
audience and also to reassure us that our existing processes and procedures are
most likely working well so that the reform of data protection should not be a
scary prospect! After a show of hands to
see whether to focus mainly on GDPR or copyright Korn gave a brief overview of
copyright compliance, recapping the Naomi Korn Copyright Consultancy (NKCC)
Compliance model[1]
and ensuring that we all understood how the model worked. The majority of the evening was spent looking
at GDPR which will be translated into UK law in May 2018, NKCC is working in
partnership with Content Clear a data protection and GDPR specialist provider
and it is something Naomi believes lines up really well with the compliance
model used for copyright. Naomi is a
firm believer that copyright and data protection are an organisational issue
not simply a matter of legal compliance and the compliance model illustrates
this really clearly.
GDPR gives greater transparency in data protection
obligations and responsibility and broadly speaking if your company is
compliant with existing data protection laws and has a customer focuses ethos
the compliance with GDPR should not cause huge issues. GDPR covers paper and electronic records and
builds upon the 8 principles of data protection. GDPR increased the responsibility of
companies to keep data secure and also increases citizen rights in relation to
data protection. Accountability in
relation to data protection is becoming stricter, for example when an
organisation is collecting data and making it available then privacy must be
designed into the process including considering and justifying why the data is
being collected and where and how it will be being shared. Fines for breaches
of GDPR are likely to be higher. Citizen
rights are also being increased in terms of what they can expect and request,
e.g. deletion of data from systems.
Naomi highlighted the ICO next steps information[2]
as an important document to read. She
urged us to consider if we as a data collecting organisation could deal with an
individual’s right to be forgotten and have their personal data deleted? The GDPR legislation gives better recognition
to children in relation to their data protection, and the importance of consent
from parents and guardians. It is
essential that compliance with GDPR needs support from all elements within the
organisation.
A large part of the event revolved around Naomi’s 10 top
tips, although as the observant amongst those reading this will realise we soon
moved past the limit of 10 tips!
1) GDPR and copyright are organisational compliance
issues, not individual ones.
2)
It is unlikely that GDPR compliance will be
completely achieved immediately – it is a process and process equals time.
3)
Copyright is a balanced relationship between
compliance, pragmatism and ethics; GDPR is similar and becomes a risk
management issue whereby we aim for complete compliance focusing on areas of higher
risk first.
4)
Be proportionate about what we do; do your best
to comply but remember that as information organisations we are likely to
already be fairly well advanced.
5)
Project management and privacy by design are
essential. E.g. plan privacy into all
aspects of projects how are you mitigating risks and ensuring that GDPR is
built into contracts and licences.
6)
Monitor, review and keep up-to-date as an
organisation.
7)
Ensure that you have training and strategies to
raise awareness of the changes in place; this needs to be embedded throughout
the organisation and regular refreshment activities need to be in place –
avoiding complacency!
8)
Remember that GDPR applies to paper and
electronic records.
9)
The policy section of the compliance model is
not simply about writing a GDPR policy – many other policies will be impacted
and therefore need reviewing.
10)
Read the ICO website for further information but
don’t be overwhelmed by the amount of information available. Naomi recommended that we begin with the 12
steps diagram previously mentioned.
11)
Carry out an information audit – what have you
already got, where is it stored and who can access it. This will enable us to move forward
organisationally and see what changes need to happen.
12)
Exemptions – there will be some but as yet we
don’t know what they are! Expected to be
broadly similar to existing data protection exemptions, but an announcement of
the exceptions is not expected until at least September. Commercial activities and sharing data
outside of the organisation are likely to be areas of higher risk.
The final aspect of the session
involved, unsurprisingly, questions from the audience. Things that were touched upon related to the
“right to be forgotten” aspect in relation to things such as library fines and
Naomi believes that this sort of issue will be covered via the exemptions when
they are announced. Brexit was
mentioned, when is it not nowadays, but this is will have no impact on the
adoption of GDPR as it will be transposed into UK law. Finally the likelihood of prosecution was
discussed with Naomi feeling that using the compliance model will reduce the
risk. If we deal with areas of higher
risk first e.g. losing data or sharing data with people/companies that we shouldn’t,
then the process will hold less chance of prosecution.
Naomi’s final word of advice was
to breathe in the change rather than panic over it, generally the types of
institutions that were represented are already data protection compliant and
the move to GDPR is unlikely to pose a big challenge.
Fiona Watkins - Digital Resources Manager, University of Northampton