John Mitchell, partner at law firm Blake Morgan, looks at what firms need to do to ensure they are, and remain, GDPR-compliant
While the dust may have settled on the 25 May deadline for the new General Data Protection Regulation (GDPR), it was only the first stage of the UK and EU’s data protection journey.
As with all law, information compliance will keep evolving, so businesses need to make sure they remain up to date with new developments
Leaving the EU will not mean GDPR does not apply in the UK; the law applies to all citizens of the EU and works in conjunction with the UK’s Data Protection Act.
The best way to make sure you meet data protection obligations is to ensure compliance activities to protect any data you store are firmly built into your business practices. The steep fines available in the event of non-compliance with GDPR – up to €20m or 4% of annual worldwide turnover – are persuasive sticks to enforcing good data management practices.
However, the principles behind GDPR, which aim to make organisations more accountable and transparent as to how they use and protect individuals’ data, offer an opportunity to build trust with customers and employees.
Understanding what personal data you hold, what you do with it, how you got it and who has access to it is vital. If you store and process personal data relating to living identifiable individuals, GDPR requires you, among other things, to advise them of the legal basis for processing their data – i.e. what legal grounds exist that allow you to do what you do with it.
GDPR also comprises new or tighter requirements where special category data (formerly sensitive personal data) comes from employees and children and this can vary, so clarifying how the legislation applies to you is key. If you use an external supplier to process data on your behalf, such as a marketing agency or a cloud computing provider, you also need to make sure their processes allow you to meet your compliance obligations and they are tied in with a GDPR-compliant contract.
Ensure your data policies and systems are clear about how you store and use any and all personal data. Make sure that everyone in your business is familiar with the steps involved in managing data well. A key part of GDPR involves protecting data and investigating any security breaches, so all staff need to be familiar with IT procedures that keep your business and all data you hold safe – use secure systems including passwords, encryption, firewalls, and up-to-date anti-virus software.
Where necessary, invest time in training staff to ensure they adhere to these procedures and are aware of the threats posed by phishing, hacking and other cyber-security breaches.
The Information Commissioner’s Office has said there is no grace period for enacting compliance. However, it also provides advice on how to meet obligations and encourage a proactive approach to managing data responsibly.
A key principle of GDPR is accountability, so businesses must be able to demonstrate the steps they’ve taken to comply with their legal obligations around managing and protecting data. All of this will make it easier to comply with new GDPR requirements, protect data and, ultimately, your business and reputation.