May 25th 2018 is an important date for your diary. This is GDPR day…GDPR being the acronym for the less snappy titled “The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)”. GDPR replaces the Data Protection Act from 1998 and seeks to bring the law up to date, to address the way in which organisations collect, process and use all of this data which is in circulation. Almost every business holds personal data to one degree or another. It doesn’t even have to be held on a computer for the law to apply. But don’t make the mistake that GDPR is there simply to protect data, its scope is far wider than that and data security is only one element of what the GDPR is about. Fundamentally, it exists to protect the rights of data subjects, and it’s the infringement of these rights that can lead to serious repercussions.
Businesses ignore the GDPR at their peril. Failure to comply with the regulations could expose the business to external audits by the Information Commissioner’s Office (ICO), compliance obligations, compensation payment to data subjects and penalties and fines up to €20million or 4% of global turnover. And those are just the regulatory sanctions. Just think about the direct and indirect costs associated with the loss of reputation businesses will inevitably suffer in the event of a data breach.
GDPR compliance is going to be a journey for all organisations. It’s also a great opportunity to show your customers how much you care about keeping their information safe and secure.
Inevitably this will have to start with a detailed review to establish what, where, and why data is currently held. Staff and stakeholders will need to understand the role they will need to play and why, and policies will have to be written to underpin all processing activities. Relationships with customers and third parties will need to be considered and revised. Use of customer data will need to be transparent and in many cases specific consent will be needed for data to be processed. It will not be possible any longer to keep that hidden away in your terms and conditions or website user terms – express and specific consent may have to be sought and it must be just as easy for a data subject to withdraw their consent as it is to give it. This will involve both technical and legal input from the organisation’s IT and legal suppliers.
Ignoring the new regulations isn’t going to be an option. The ICO have every intention of policing compliance and are ready, willing and able to impose penalties. Beyond this, they will have the power to audit organisations and impose rectification orders on defaulters. It is likely that fines of the size of the headline figure of €20million will be reserved for the worst offender who fails to remedy their practices even where there has been prior ICO intervention. However it doesn’t necessarily follow that organisations will not receive fines for failing to comply with Subject Access Requests, or leaving unencrypted laptops or mobile phones on the train.
Over the coming weeks, we will be publishing a series of blogs to help you understand more about your obligations under the regulations and giving you some tips on how these can be introduced to your business. You can learn how to sign up for the blog at the bottom of this article.
We thought it might be helpful to give you a series of initial action points, so that you begin to address some of the key issues within your organisation. All teams from sales, marketing and production to finance, HR and legal will have their own take on how GDPR relates to their departments and the wider business:
- Carry out a detailed information audit to establish the nature of the data held, the format it takes, whether it’s still relevant or if it should be deleted, whether it is secure and who else has access to it.
- Identify areas of non-compliance with GDPR and allocate resources to remedy.
- Develop a risk mitigation strategy.
- Review your employment handbook and create or revise your existing data protection policies.
- Make your staff and stakeholders aware of the importance of GDPR compliance to your organisation and give suitable training. This should also form part of new starter induction.
- Review your existing terms with suppliers and customers.
- Decide how you intend to collect data from customers in the future.
- As part of developing any new project, decide what impact GDPR has on the processing of data generated as part of that exercise.
- Decide upon the specific purposes for which you intend to use that customer data.
- Decide how you will secure consent from data subjects and how you will deal with request to withdraw consent.
- Make sure you are transparent at all times in your dealings.
- How will you deal with data access requests from customers?
- How will you find out about and deal with data breaches?
- Decide if you need to appoint a Data Protection Officer (even if this isn’t technically required under GDPR) or some other person to take responsibility.
- Check that your insurance policies will cover you for the costs arising from a breach of GDPR and the criteria under which claims will be met (and denied) to make sure your policies address these matters.
- Carry out regular reviews at both departmental and executive level
So as you will see, there is much to be done and it will need your entire workforce to get behind the business owners and key stakeholders.
The good news is that you are not alone, and Thursfields experts can help you with your implementation plan in some of the following ways:
- Organising a legal audit of your data policies and providing you with a detailed remedial report and strategic plan to start your compliance journey.
- Revising your employee handbook and contracts of employment.
- Drafting policies that address issues such as use of computers, phones, memory sticks, laptops, BYOD, third party access, physical file storage and use and security.
- Training your staff of their legal responsibilities under GDPR and how these relate to the revisions to the employee handbook.
- Considering your current recruitment strategy and decide how you might react to “feedback” requests from unsuccessful candidates.
- Drafting your data protection policies to regulate the relationship with customers and suppliers.
- Advising you on whether your proposed data processing is lawful and meets the legitimate interest of the organisation.
- Revising your data outsourcing arrangements with third parties.
- Enforcement of your contractual remedies against third parties who breach their contractual terms with you.
- Revising your existing terms and conditions of trade.
- Advising on the implications arising from data transfer both within EEA and elsewhere.
- Advising on how to respond to a Subject Access Request.
- Advising on the handling of a data breach.
- Advising and representing you in respect of any regulatory action taken by the Information Commissioner’s Office.
In the meantime, and in the lead up to the GDPR date, we will be publishing a series of blogs on different aspects of GDPR. If you would like to receive these blogs straight to your inbox, please let us have your contact details (using the “sign up box”). We will only use this data for the purposes of sending you these blogs and informing you about Thursfields’ wider legal services offering. You may of course withdraw your consent to receiving this information at any time by unsubscribing from future mailings.
If you would like to know more about how Thursfields can assist you in your GDPR implementation programme, please contact Stuart Price on 0121 227 3867 – firstname.lastname@example.org or Jane Rudge on 0121 227 3885 – email@example.com who will be pleased to assist you.
Thursfields Solicitors has offices in Birmingham, Solihull, Worcester, Halesowen, Kidderminster, Stourport and Sedgley