Data security is crucial for all organisations, especially those working with children and young people. From 25 May 2018, you need to comply with the General Data Protection Regulation (GDPR). The GDPR enables individuals to better control their personal data, regardless of where this data is sent, stored or processed.
As an organisation, you need to provide individuals with: :
- Access to their own data, and information on how their data is processed;
- An easy way to transfer their personal data between service providers, (‘right to data portability')
- A right to have their personal data erased if there is no legitimate reason for retaining it; (‘right to be forgotten'); and
- Notification if their information has been hacked.
Complying with the GDPR
The Information Commissioner's Office (ICO) has created a checklist of things organisations can do to ensure compliance:
- Awareness: Ensure that all decision makers and key people in your organisation are aware of the GDPR and appreciate its impact.
- Information you hold: Document what personal data you hold, where it came from and whom you share it with.
- Communicating privacy information: Review your current privacy notices and make any necessary GDPR changes.
- Individuals' rights: Check your procedures cover all the rights individuals have, including how you would delete or provide personal data.
- Subject access requests: Put in place procedures on how you handle requests.
- Legal basis for processing personal data: Look at the various types of data processing you carry out, identify your legal basis for doing so and document it.
- Consent: Review how you are seeking, obtaining and recording consent and whether you need to make any changes.
- Children: Put systems in place to verify individuals' ages and to gather parental or guardian consent for the data processing activity.
- Data breaches: Ensure you have the right procedures in place to detect, report and investigate data breaches.
- Data Protection by Design and Data Protection Impact Assessments: Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments, and work out how and when to implement them.
- Data Protection Officers: Designate a DPO or someone to be responsible for data protection compliance.
- International: If your organisation operates internationally, you should determine which data protection supervisory authority you fall under.
Children's personal data
The GDPR brings in special protection for children's personal data.
Your privacy notice must be written in language that children will understand.
If you offer an online service to children, you may need to obtain consent from a parent or guardian to process the child's data. The GDPR states that a child can give their own consent at 16. (In the UK this may be lowered to 13 as proposed in the Data Protection Bill and is subject to Parliamentary approval). If a child is younger, consent is required from a person holding parental responsibility.
What data protection risks can insurance cover?
Insurance is no substitute for complying with regulations. However, as not all data risks can be anticipated or prevented, an effective Cyber Liability insurance policy should form part of your risk management. A Cyber Liability insurance policy can cover the following type of data-related losses:
- Breach costs - support in the event of a data breach including forensic investigations, legal advice and notifying customers or regulators.
- Privacy protection - pays to defend and settle claims made against you for failing to keep people's personal data secure.
- Hacker damage - reimburses you for the costs of repair, restoration or replacement if a hacker causes damage to your electronic data.
You should speak to a specialist insurance broker who understands children's and youth organisations along with their data risks, so that you get the right protection.
For more information visit the Unity Insurance Services website or call on 0345 040 7702.