19 Jul

GDPR – Four Letters and a Headache

Just when we were getting used to the Data Protection Act 1998, along comes its replacement, the General Data Protection Regulation.  It is designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy.

The Regulation has been in force for over two years but the date for compliance is not until 25 May 2018.  This sounds a long time away but there is quite a bit of work to do to ensure you will comply, so best to get going on a compliance project right away.

Interestingly, the GDPR doesn’t just apply to organisations located within the EU.  It will also apply to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.  Such organisations may well be your overseas suppliers.  If you are passing customer data to them, you will need to check that they comply with GDPR.

Brexit offers no escape.  The UK Government has indicated it will implement an equivalent or alternative legal mechanism. It is expected that any such legislation will largely follow the GDPR.

This is a serious regulation.  The penalty for a breach will be up to 4% of your annual turnover or €20 Million. In practice, though, unless you are knowingly and seriously breaching the Regulation, many experts believe that such a high fine would not be levied.

Quite a few companies have started their GDPR compliance projects to ensure that, come next May, they will comply.  Have you?  If not, my advice is to get going sooner rather than later.  It is always much easier to tackle a project when you have more time available rather than less and working towards compliance is going to take a significant amount of resource.

Here are some practical steps you might take to get started.

  1. Understand what GDPR is about.  The Information Commissioner’s Office website has some good documents to read.  Start your reading here.
  2. GDPR is not purely an IT project so you will need get everyone in the company on board.  Keep staff and management regularly updated as the project kicks off and progresses.
  3. Across every department of the business, you will need to audit all the personal data that you hold.  Understand what it is, where it is and how it is used.  Record all this and keep your records up to date.
  4. You will need to be aware of the whole data chain.  It will be your responsibility to ensure your suppliers are aware of GDPR and taking similar action to yours so get in touch with them and ask them what they are doing about complying with GDPR.
  5. Update privacy policies on your website, ensuring they are clear, concise and that consent functions are thoroughly tested.
  6. Develop and test procedures for handling the following:

    - Subject access requests (the right of people to see the data you hold about them)
    - Subject access rectifications (correcting inaccurate data)
    - Subject access portability (providing data in a format that can be passed on)
    -  Actioning right to be forgotten requests (removing people’s data and proving that this has been done).  Bear in mind this will also need to be done for third parties to whom you are passing personal data.

Yes, GDPR compliance is going to be a headache, but it’s got to be done so take a couple of paracetamol and get to work.