The General Data Protection Regulation (Regulation (EU) 2016/679) and the Data Protection Act 2018 (together “the GDPR”), both seek to bring the law up to date, to address the way in which organisations collect, process and use all of this data which is in circulation.
Almost every business holds personal data to one degree or another. It doesn’t even have to be held on a computer for the law to apply. But don’t make the mistake that GDPR is there simply to protect data, its scope is far wider than that and data security is only one element of what the GDPR is about. Fundamentally, it exists to protect the rights of data subjects, and it’s the infringement of these rights that can lead to serious repercussions.
Businesses ignore the GDPR at their peril. Failure to comply with the regulations could expose the business to external audits by the Information Commissioner’s Office (ICO), compliance obligations, compensation payment to data subjects and penalties and fines up to €20million or 4% of global turnover…and those are just the regulatory sanctions. Just think about the direct and indirect costs associated with the loss of reputation businesses will inevitably suffer in the event of a data breach.
GDPR compliance is going to be a journey for all organisations. It’s also a great opportunity to show your customers how much you care about keeping their information safe and secure.
Inevitably you will have to start with a detailed review of your existing systems to establish what, where, and why data is currently held. Staff and stakeholders will need to understand the role they will need to play and why, and policies will have to be written to underpin all processing activities. Relationships with customers and third parties will need to be considered and revised. Use of customer data will need to be transparent and in many cases specific consent will be needed for data to be processed. It will not be possible any longer to keep that hidden away in your terms and conditions or website user terms – express and specific consent may have to be sought and it must be just as easy for a data subject to withdraw their consent as it is to give it. This will involve both technical and legal input from the organisation’s IT and legal suppliers.
Ignoring the GDPR isn’t going to be an option. The ICO have the power to police compliance and are ready, willing and able to impose penalties. Beyond this, they have the power to audit organisations and impose rectification orders on defaulters. It is likely that fines of the size of the headline figure of €20million will be reserved for the worst offender who fails to remedy their practices even where there has been prior ICO intervention. However it doesn’t necessarily follow that organisations will not receive fines for failing to comply with Subject Access Requests, or leaving unencrypted laptops or mobile phones on the train.
You were required to be GDPR compliant as at 25th May 2018. However, all is not lost if you haven’t got started on that journey. With that in mind, we thought it might be helpful to give you a series of initial action points, so that you begin to address some of the key issues within your organisation. All teams from sales, marketing and production to finance, HR and legal will have their own take on how GDPR relates to their departments and the wider business:
- Carry out a detailed information audit to establish the nature of the data held, the format it takes, whether it’s still relevant or if it should be deleted, whether it is secure and who else has access to it.
- Identify areas of non-compliance with GDPR and allocate resources to remedy.
- Develop a risk mitigation strategy.
- Review your employment handbook and create or revise your existing data protection policies.
- Make your staff and stakeholders aware of the importance of GDPR compliance to your organisation and give suitable training. This should also form part of new starter induction.
- Review your existing terms with suppliers and customers.
- Decide how you intend to collect data from customers in the future.
- As part of developing any new project, decide what impact GDPR has on the processing of data generated as part of that exercise.
- Decide upon the specific purposes for which you intend to use that customer data.
- Decide how you will secure consent from data subjects and how you will deal with request to withdraw consent.
- Make sure you are transparent at all times in your dealings.
- How will you deal with data access requests from customers?
- How will you find out about and deal with data breaches?
- Decide if you need to appoint a Data Protection Officer (even if this isn’t technically required under GDPR) or some other person to take responsibility.
- Check that your insurance policies will cover you for the costs arising from a breach of GDPR and the criteria under which claims will be met (and denied) to make sure your policies address these matters.
- Carry out regular reviews at both departmental and executive level.
So as you will see, there is much to be done and it will need your entire workforce to get behind the business owners and key stakeholders.
The good news is that you are not alone, and Thursfields experts can help you with your implementation plan in some of the following ways:
- Organising a legal audit of your data policies and providing you with a detailed remedial report and strategic plan to start your compliance journey.
- Revising your employee handbook and contracts of employment.
- Drafting policies that address issues such as use of computers, phones, memory sticks, laptops, BYOD, third party access, physical file storage and use and security.
- Training your staff of their legal responsibilities under GDPR and how these relate to the revisions to the employee handbook.
- Considering your current recruitment strategy and decide how you might react to “feedback” requests from unsuccessful candidates.
- Drafting your data protection policies to regulate the relationship with customers and suppliers.
- Advising you on whether your proposed data processing is lawful and meets the legitimate interest of the organisation.
- Revising your data outsourcing arrangements with third parties.
- Enforcement of your contractual remedies against third parties who breach their contractual terms with you.
- Revising your existing terms and conditions of trade.
- Advising on the implications arising from data transfer both within EEA and elsewhere.
- Advising on how to respond to a Subject Access Request.
- Advising on the handling of a data breach.
- Advising and representing you in respect of any regulatory action taken by the Information Commissioner’s Office.
If you would like to know more about how Thursfields can assist you in your GDPR implementation programme, please contact Stuart Price on 0121 227 3867 – firstname.lastname@example.org or Jane Rudge on 0121 227 3885 – email@example.com who will be pleased to assist you.
Thursfields Solicitors has offices in Birmingham, Solihull, Worcester, Halesowen, Kidderminster, Stourport and Sedgley