GDPR – A Beginner’s Guide
Many of our clients have been asking us; “What is GDPR?” and “What do I need to do?” There are so many elements to the new legislation that it’s difficult to pinpoint exactly what is relevant for every organisation. It’s important to remember that it’s a large piece of legislation and organisations should be treating GDPR implementation as a project as opposed to a quick fix. You’re likely to need many people within the organisation to get involved and seek external advice.
This guide explains what GDPR is in a simplified way, breaking down the legislation and giving those who are new to GDPR an overview of the new regulations.
What is GDPR?
GDPR (General Data Protection Regulations) comes into force on 25th May 2018 and it intends to strengthen and unify data protection rights for individuals. All organisations need to be compliant with the new rules to protect all personal data held by them, including employee data, customer data, supplier data, data relating to members of the public, online tracking data etc. Any data that you process (including just storing) that identifies a living individual is regarded as ‘personal data’ and you need to ensure your compliance with the GDPR.
Why do we need to be compliant?
Quite simply, there are risks of fines by the ICO (supervisory authority), depending on the category of the data breach, of up to £20million (or 4% gross annual turnover, whichever is greater). A fine of this size could effectively shut down a lot of businesses so a breach could be absolutely fatal to your organisation. Individuals can also take organisations to court for compensation if they feel their rights have been breached. Having said this, beware of scaremongering – the ICO isn’t on the war path to fine everyone with a minor breach, they may make suggestions to enable companies to become compliant in some cases where they decide not to impose fines. However, it’s not worth the risk; financial, reputational or otherwise.
What mistakes are businesses making?
A lot of organisations aren’t identifying the full range of personal data that they hold or process, which falls under the legislation. There are the obvious areas such as employee files, email addresses used for marketing, customer details etc. but organisations really need to understand the full scope of what the legislation covers. GDPR also covers your tracking of online behaviour, any recordings via your CCTV that could identify someone, personal data you hold on a cloud database, biometric data, photographs where someone is recognisable etc.
Additionally, organisations may think they are compliant because they have good security measures in place, but you also need to be compliant when initially collecting the data, when sharing the data, how long you retain the data, that you are constantly aware of the data subjects rights and that you have lawful basis to process the data in the first place.
One of the major changes for organisations is the principle of ‘accountability’ as organisations now need to document and keep a paper trail of their procedures when processing any personal data and record all or some of their processing activities, depending on the size of the organisation. Most organisations probably aren’t currently documenting their processing activities to the extent needed under GDPR so this is something that needs assessing.
Organisations don’t realise that some cloud providers hold or process the personal data shared with them, internationally. There are a whole set of other rules under GDPR about sharing data internationally if the country is not deemed to have adequate safeguards (and it’s not as obvious as you may think as the US is one of these countries, deemed to have inadequate safeguards in place).
How does it affect my organisation, in practical terms?
There are many things to consider when implementing any GDPR compliant procedures such as;
- What are you going to do with current marketing data? Are you sure it complies with the new, stricter rules of consent under GDPR to be able to justify still using it?
- Do you share data internationally? Are you aware of your obligations in this regard under GDPR?
- There are a number of things you should have in your commercial contracts with any organisation’s you are sharing personal data with to protect yourselves.
- Are you confident that all your staff are aware of their obligations and can you demonstrate this? You can be held vicariously liable for any breaches they cause.
- Are you aware you need to review what’s in place on a continuous basis after 25th May?
- Have you undertaken a Data Protection Impact Assessment before implementing CCTV recording or other large scale data processing activity?
- Are you confident on whether you are legally obliged to appoint a Data Protection Officer?
- Have you got all your policies and procedures ready?
Where do I start?
GDPR is a minefield, without question, and it’s difficult to know where to start in order to move towards compliance as there are so many different elements to the legislation.
The best starting point is to undertake a data mapping exercise so that you can identify all personal data held in your organisation, who is responsible for it and how it is used. We provide this template as part of our GDPR Advice Line Service. To help you even further, we offer a GDPR Report Service where we send you a 2 page questionnaire to complete and then issue you with a comprehensive report. The report will advise you of any action points in relation to the personal data you hold in your organisation. If you’re struggling to know where to start with it all, the GDPR Report Service can help with this.