GDPR: An Expert’s View

– 16 January 2018 –

Getting Prepared for GDPR

 

The first thing to bear in mind when hearing the letters G.D.P.R is not to panic.  It’s correct that the GDPR (the General Data Protection Regulations) are coming in to force on 25th May 2018 but what most people don’t seem to have remembered is that the Data Protection Act has been legislation since 1998 and the GDPR is simply following on from that.  I think what has most people running scared is that the maximum figures for the fines for non-compliance are set to rise rather dramatically, but more on that later.

 

If your organisation has been compliant with the present legislation then you really have a few tweaks to become ready for the GDPR.  The governing office for Data Protection is the Information Commissioner’s Office and that is the organisation which sets the rules, administers advice and will impose any sanctions for breach or non-compliance.  They have an extremely helpful website (ico.org.uk) which, if you negotiate it properly, will provide you with the answers to most of your queries.

 

Many people that I meet don’t appear to understand the need for data protection.  Please remember when preparing for the legislation, that you are a data subject.  i.e. your personal data is processed by many different organisations, from your bank to your favoured online shop, the local takeaway, your doctor, the list is endless.  You would hope and expect that the information you provide to them is kept safe and secure without anyone able to access it, hack it, potentially abuse you if they had knowledge of it.  The data subjects whose data you process expect the same from you.  As you don’t want to be bombarded with marketing that you haven’t requested and is of no relevance to you, your data subjects should be afforded the same courtesy.

 

They expect that you will keep their data safe and secure, that you’ll provide them with a copy of the information you hold about them in a clear and concise format within the specified time period (30 days, including bank holidays and weekends under GDPR) should they request it.  They expect that you will delete their information once it is no longer in use and that you won’t share it with anyone unless it has been made clear to them what you will be doing with it.  The DP regulations (and GDPR) simply set down the legislation that governs these processes.

 

data protection.jpg

 

 

The key to GDPR is accountability.  You need to make sure that you can justify why you hold certain information about an individual, on what legal basis you process it, and for how long you intend to keep it.  Your privacy policy should clearly state this and it should be easily accessible to visitors on your website, along with internal clear and easy to understand policies on security, retention etc. and contracts with all third parties setting out how they are to handle the data that you share with them, as well as an easy to follow breach policy, i.e. what to do if a breach occurs.  Remember that it is your responsibility to protect and keep secure the data you collect and process.  It’s no good blaming someone else if your website is hacked and the data is compromised.

 

If your organisation is based upon its marketing then ensure that you’re up to date with the provisions of the Privacy and Electronic Communication Regulations (PECR) and that you stick to these in line with the GDPR.  In other words, when collecting the data for marketing purposes make sure the subjects you’re collecting it from know what you intend to do with it so they can decline to receive it in the first place.  Additionally, that they have the option to ‘unsubscribe’ from it easily.  There is simply no point bombarding an unwilling individual with information that is of little or no interest to them, regardless of whether you think it might be.  Target your marketing accordingly and you may have more chance of success.  The GDPR doesn’t mean the end of digital marketing but that thinking has to be a little smarter.

 

Coming back to the sanctions I mentioned earlier; the ICO will not always immediately fine someone for flouting the rules.  Although it’s not yet clear how heavy handed her office will be, as things stand at the moment she tends to issue notices of enforcement and undertakings before moving directly to monetary penalties depending on the nature of the breach.  She does, however, have the power of criminal prosecution in some circumstances and the monetary penalties can be severe… up to 4% of global turnover or 20 million Euros (whichever is the greater sum) in the more serious cases.  These more severe sanctions are scary, but they’re meant to be.  They won’t apply to you or your organisation if you comply with the rules.

 

You will know by now that this article will not answer all your questions nor will it prepare you for DP compliance as I have barely scraped the surface of all you need to know, but hopefully it will help you to breathe a little more easily and realise there is light at the end of the tunnel and it’s not all doom and gloom.  As a data subject I welcome the fact that organisations are waking up to the need to protect my personal information and I hope, when  you think in those terms, so will you.

 

Remember, help is at hand both here and on the ICO website.

 

Happy New Year!

 


 

Emily Culverhouse has been a practising barrister since her call in 1998 and has specialised in Data Protection law since 2012 when she joined forces with her colleague Clara Westbrook in the boutique consultancy Westbrook Data Protection Services.  She regularly advises businesses (of all sizes), schools and charities in relation to the regulation side of Data Protection, conducts audits and runs training courses.

 

Emily is also a local Councillor and is presently Town Mayor of Chesham where she is directly involved with a number of local charities and organisations.

 



Contact Us