With less than 5 months until GDPR comes into force, all businesses should be well on the road to getting their preparations underway for the new data protection regime. But if you’ve not yet started, don’t panic: there is still time.
There have been a lot of headlines and hysteria about the new upper limits on fines that can be imposed under GDPR. However, enforcement will remain the responsibility of each member state which means the Information Commissioner’s Office (ICO) will continue to deal with enforcement in the UK.
Are you going to be hit with multi-million pound fines under the new GDPR regime?
The ICO has generally always taken a measured approach to enforcement, and fines have previously been imposed only for deliberate or reckless acts where a business didn’t take reasonable steps to avoid data breaches. In addition, the ICO has generally only imposed large fines for the worst transgressors, usually either significant security breaches or large scale unlawful electronic marketing.
At present, there’s no reason to think the ICO is going to change its attitude to enforcement. However, that doesn’t mean you can bury your head in the sand about GDPR. It’s vital that you get the right policies and procedures in place and make sure your staff are properly trained, as that will help you demonstrate you’ve taken “reasonable steps” if you are ever unlucky enough to suffer a data breach.
What should you be doing now?
The most important first step is to carry out a data mapping exercise. Work out what personal data you collect and process and for what purposes. You also need to think about how long you store data for and when you will delete it.
This will allow you to produce privacy notices, which you’ll need to give to anyone whose data you process.
The GDPR places a great deal of emphasis on accountability and being able to demonstrate your compliance. It’s therefore important that you also produce a full suite of policies and procedures setting out how you collect, process and delete personal data, and how your business will react if a data breach ever takes place (there are strict new rules about notifying the ICO and individuals when a data breach takes place).
You’ll also need to think about whether you need to appoint a Data Protection Officer. This is voluntary for many businesses but it is mandatory for some.
Finally, if you use any third parties to process any of your data, you need to check that your contracts with them are GDPR-compliant.
How can BHW help?
We can put together a tailored package to meet the needs of your business. If you’ve not yet carried out your data mapping exercise, we can help you carry this out. Whether or not you’ve done your data mapping, we can also help you put together your privacy notices (which must include certain key information set out in the GDPR) and your policies and procedures. We can also help you review and update your contracts with third party data processors.
We can also advise you on whether you need a Data Protection Officer and we can advise you on your other obligations under the GDPR. If you wish, we can also assist with staff training.
If you want to discuss any aspect of the GDPR, please contact Matt Worsnop at email@example.com.