Data Protection and GDPR Compliance

The General Data Protection Regulation (GDPR) simplifies data privacy compliance by replacing a number of different country laws with one that’s common across the 28 countries of the European Economic Area (EEA). It was brought into law in the UK by the 2018 Data Protection Act (DPA). The DPA remains in place after Brexit.

We are spending more and more time ‘online’ whether downloading music, streaming films, sending texts, using social media or even doing our banking. Each time we use a system, we allow businesses, charities or the government to use our data. That data can be used to target us for advertising, to predict our future purchases or to capture information on our health or our family. Our data therefore has a value not only to businesses, charities and the government but also to criminals who want to capture it and sell it on the dark web.

The GDPR helps to ensure that every organisation takes its data processing responsibilities seriously and puts in place stringent measures to protect our personal data – whether we are a customer, an employee or an interested party. It also ensures that breaches are reported promptly.

The GDPR applies to any organisation – business, charity or government body – operating within the EU who captures and stores our data. It also applies to organisations outside the EU which provide products or services to EU residents.

The GDPR is not governed by size or sector. Even small businesses must take steps to be GDPR compliant. Although you may hear that companies under 250 employees don’t need to keep certain records, it’s actually hard to be compliant if you don’t! So, the GDPR applies to Pete the Plumber in pretty much the same way as it does to Barclays Bank. Of course, Barclays Bank can afford a team of experts to advise on GDPR whereas Pete the Plumber and other SMEs need a cost-effective way of accessing GDPR expertise on demand. That’s where we come in.

It’s best if all employees are trained on the GDPR so they can take personal responsibility for ensuring compliance. Marketing, HR, finance and customer service teams in particular have a key role to play in safeguarding data.

To be GDPR compliant, you must identify the data you hold, determine why you have that data, be clear on whether you are sharing it with anyone and put steps in place to protect data and monitor data usage. You must also be able to identify a data breach and understand how to notify both the ICO and stakeholders.

As part of your GDPR compliance, you will normally need the following documents: privacy policy, cookie policy, terms and conditions of website use, data retention policy, IT security policy and data processing agreements. Our GDPR experts can help you identify areas of non-compliance as part of a GDPR Discovery Review.

Yes. Being GDPR compliant reduces the risk of customer loss, reputational damage and reduced profits.

GDPR compliance ensures your customers can trust you with their information and safeguards your hard-earned reputation. Get it right and it will help you to win business. Get it wrong and the consequences could be far costlier than seeking expert help in the first place.

The Data Controller is the organisation responsible for deciding how personal data is processed.

The Data Processor is the organisation which processes the data on behalf of the controller, for example, a marketing consultancy or an outsourced payroll provider.  

Some organisations may need to appoint a Data Protection Officer (DPO) . This role requires in-depth knowledge of the GDPR and the DPA and has some additional legal responsibilities. Many smaller businesses find that outsourcing this role provides them with the expert knowledge they need. We’re always happy to have no obligation chat to establish if you need a DPO. Find out how a Virtual DPO service can help your business…

Our blog on ‘Who’s Who in GDPR?’ will help you identify if you’re a Data Controller, a Data Processor or both. You can find a simple guide to your responsibilities in ‘Who Does What in GDPR?’.

The 2018 Data Protection Act requires a mindset change – organisations cannot collect as much information as they think that they might need and they can’t keep it forever. At Risk Evolves, we encourage organisations to do a ‘data declutter’ so they only keep the information that they really need – for example, HMRC requires organisations to keep some financial data for the current calendar year, plus a further six years. At the end of this period, it can be deleted. Aside from being compliant with the DPA, by deleting unwanted data, you also prevent it from being lost or stolen!

If you’re unsure of how long to keep data for, or even where to start, give us a call.

A privacy policy or privacy notice is simply a document that explains to your staff, customers, suppliers and web visitors what data you collect about them and why. It should explain whether you share the data with any other organisations and tell them which countries their information is being processed in.  It has to be written in a way that your audience can understand (we have a passionate dislike for legal documents written in 6pt font!) and is an opportunity to reassure your reader that you are looking after their personal information in a way which is respectful. Finally, it should explain to your reader how to contact you if they want to exercise their rights.

Our ‘GDPR – What happens next?’ course provides a comprehensive introduction to GDPR. It is ideally suited to those organisations that prepared for the GDPR back in 2018 but have not kept up to date with their processes and risk assessments.

Our ‘GDPR – What to do in a crisis?’ course will help your employees to understand what constitutes a data breach and ensure they can confidently develop a plan to handle any future incidents.

Our ‘GDPR – The role of Trustees and Directors’ stimulates board-level understanding and drives a culture of compliance from the top down.  Trustees and Directors have a legal obligation to ensure that their organisations are compliant, this course makes it crystal clear how they can do so.  

We can also put together bespoke GDPR training packages, e.g. for marketing or HR teams.

All GDPR training can be delivered onsite or online. Please contact us for more information.

No, just like your car insurer won’t pay out if you’re caught speeding on a motorway, your organisation’s insurer won’t pay out if you fail to comply with the GDPR. As a GDPR fine can be up to 4% of the previous year’s worldwide turnover (or 20 million Euros), it’s definitely worth putting in place measures to ensure compliance. We can help you by assessing your current compliance as part of a GDPR Discovery Review or providing ongoing support as part of Compliance as a Service or GDPR Critical Friend service.

The following certifications will help embed a culture of data protection and reassure your stakeholders that you are trustworthy and credible:

IASME Governance: the combined GDPR and Cyber Essentials accreditation for smaller businesses

ISO27001: the internationally recognised standard for Information Management

ISO27701: the new ‘gold standard’ for Privacy Information Management

BS 10012: a British standard for a Privacy Information Management System

The Data Protection Act 2018 is the UK Government’s implementation of the GDPR. It is actually wider in scope than the GDPR. For example:

• It includes some differences which accommodate our security services (MI5, MI6 and GCHQ) and our law enforcement organisations
• A number of criminal offences were introduced including those of deleting data in scope of Subject Access Requests (SARs) and ‘de-anonymising’ anonymised data
• There are a number of exemptions that mean that data does not need to be shared with data subjects, for example, employee references shared between employers

There are also some smaller differences, for example:

• The DPA sets the age that a child can consent to data processing at 13, the GDPR sets this at 16
• The inclusion of an annual registration fee for UK organisations
• The role of the ICO including its duties, function and enforcement powers