Cutting through compliance: General Data Protection Regulation (GDPR)

The situation

As of May 2018, a new European wide directive is coming into force – The GDPR. The Queen’s Speech outlined a new data protection bill to replace the current Data Protection Act 1998 and implement the new GDPR in the UK, as Brexit will not affect the UK’s need to comply.

Many of the main points of the GDPR build on that established under the Data Protection Act, but there are also new elements and enhancements.

The changes place greater obligations on organisations, with potential fines for breaches as high as €20 million or 4% of global turnover.

The challenge

It will no longer be enough to simply say you comply with the GDPR, you are required to demonstrate how you are complying.

What you need to know

The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public, promoting openness by public bodies and data privacy for individuals, and will be ensuring the enforcement and compliance to the new GDPR.

As such, your Data Protection Officer (DPO) will need to report to the highest level, operate independently and will have adequate resources.

In summary, the GDPR includes the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

Useful resources and top tips

Educate yourself and your employees

There are many resources and training options out there already which can help you further in understanding the regulation and how you need to comply – amongst others, XpertHR and CIPP have a number of articles and courses, whilst the ICO is of course a wealth of knowledge on the subject. Ensure you share your learning with your colleagues and fellow employees to pioneer best practice behaviours within your organisation.

Enquire with your software and/or services provider as to how they will be helping you on your journey to GDPR compliance.

Set out and implement your action plan to be GDPR ready

Work closely with your DPO to establish your GDPR action plan and put this into play to ensure you’re fully compliant as of May 2018.

Consider applying for a voluntary ICO audit

It might be worth considering whether your organisation would benefit from a voluntary GDPR audit by the ICO. By volunteering early on, it is possible that the ICO will not enforce any penalties for non-compliance against your organisation, as you would have been proactive in seeking guidance from the audit. Of course, it is imperative that you double check up front that no penalties will be incurred if they do find anything!