GDPR: What should I be doing?

Chris Cook, Julie Gingell & Emma Gross share how you can start preparing for the GDPR.

Confused about the impacts of the new General Data Protection Regulation? Worried about meeting the May 2018 deadline? SA Law has been helping clients and contacts to understand the new era of data protection, and guiding them towards an effective compliance roadmap.

What is GDPR?

The General Data Protection Regulation is new European legislation that harmonises the way organisations handle the personal data of EU nationals. Even with Brexit, GDPR will be incorporated on 25 May 2018, and will cause the biggest shake-up of data protection law for 20 years. It introduces new obligations for organisations, more accountability and a greatly increased fine for non-compliance.

Why is this happening?

The modern information era has turned personal data into a valuable commodity. Unfortunately, the laws that protect personal data were written before Facebook and Twitter existed, and when Google was just a relatively small start-up. As a result, the rapid expansion of online services over the last ten years has caused a great deal of confusion over how organisations should protect people’s identities, particularly in the face of escalating online crimes such as identity theft. GDPR serves to reduce this confusion by bringing the law up to date with the modern era.

Are the changes significant?

While many of the core obligations remain the same, there are some key changes that will fundamentally affect the way your organisation handles personal data, from the way you talk to customers, to the way you recruit employees.

The most visible change is the new fine, which rises from £500,000 to around £18 million or 4% of your worldwide annual turnover, whichever is greater. If you suffer a data breach, you may also need to pay compensation to individuals who have been affected. At first, the media painted a picture of apocalyptic ruin for any organisation that failed to comply with the new law by 25 May 2018. In reality, we can expect a grace period in which any failings will be assessed against how much work the organisation has done to meet its new obligations.

Perhaps the most significant change is the need to obtain free and unambiguous consent to hold a person’s data. Implied consent will no longer apply, so pre-ticked opt-in boxes don’t count. This means that most organisations will need to reconfirm consent to some degree with customers, marketing lists and employees. For anyone under the age of 13, consent must be obtained from their parents.

The new law also gives people the ‘right to be forgotten’, which means they can ask you to erase all data you hold about them. From May 2018, you also have less time in which to fulfil Subject Access Requests, so if someone asks to see a copy of all information you hold about them, you only have one month to comply under normal circumstances.

There are other changes that you will need to assess the impacts of, including new categories of personal data, and the requirement to report data breaches within 72 hours. For a full list, check out our 12-point outline of the key changes.

What should I be doing?

Meeting the new GDPR obligations can be boiled down to three compliance objectives. You must ensure that: 

  • All personal data you hold has been gathered compliantly
  • Your systems and processes store, use and dispose of personal data compliantly
  • Your employees are trained in their compliance responsibilities. 

Our recommended roadmap to achieving this covers five logical stages:

1. Plan and audit

As always, change programmes such as these work best when they are organisation-wide in scope, and driven from the top. Begin by assembling an appropriate compliance team, with a senior leader as spokesperson and chair. Next, assign a budget. Although GDPR activities may not require extensive investment, some budget for awareness is likely to be needed

2. Prepare

To identify the actions you need to take, you must first understand what the organisation is doing at the moment. Initiate a comprehensive fact-finding exercise to determine the full nature of the personal data you hold and how you process it. Ask key questions such as: 

  • How did you gather the data?
  • How long have you held it for?
  • Did every individual give their consent? 

At the same time, understand how information flows around the organisation, and how employees actually handle it. All of this information helps to determine: 

  • The gap between your current systems and processes, and your GDPR compliance requirements
  • The gap between how employees currently handle information, and the way they should be handling it
  • How compliant your data is. For example, who do you need to obtain consent from? 

With the gaps identified, you can plan your strategy for closing them. SA Law’s Data Risk Register can help you analyse where your risk exposure is greatest.

3. Implement

Start with systems and processes, and any policies that you use to govern them. These may need to be redrafted to reflect the new changes. The aim is to create a flexible Information Governance Framework (IGF) that meets compliance, yet enables you to deliver on short and long-term business objectives.

You can also begin to deliver awareness and education activities that prepare employees for the new law. Larger organisations will likely need a more formal change programme, while smaller ventures may only require a few informal training sessions.

Finally, begin the process of reconfirming consent with customers, employees and anyone else whose data you hold. 

4. Deploy

Ideally, try to deploy your new information regime ahead of the May deadline, which gives you time to iron out the bugs. During that time, it can help to run a few breach scenarios to make sure everything operates smoothly, from employees notifying you promptly, to your marketing function preparing customer awareness communications, to your PR team making preparations for damage control.

5. Manage

Once compliant with the new data protection law, you need to stay compliant by keeping it at the heart of your organisation.
Make sure employees are following your data protection processes, policies and procedures on a day-to-day basis, including regularly reviewing, minimising and deleting data in line with requirements. Data protection must stay on the agenda for operational meetings, and all new projects and organisational changes must be planned and implemented with ‘privacy by design’ in mind.

Ongoing data protection training is essential, both as part of your induction process and as refresher courses. Run regular data breach drills so you can execute your data breach plan swiftly. If faced with a breach, make sure you follow up by investigating the causes, implementing change, and communicating developments to staff and customers as required. 

Think positively

One final thing to bear in mind is your attitude towards GDPR. It’s easy to see it as a large stick with potentially devastating impacts when something goes wrong, but this won’t help rally employees to the cause. Therefore, we recommend a more positive perspective. In an age where high profile data breaches and poor handling of the aftermath has weakened our confidence in many brands, GDPR represents an opportunity to ‘re-inspire’ customer trust. In effect, it presents an opportunity for competitive differentiation that could help you stand apart from the crowd.

Click here to download SA Law's 5 Stages to GDPR Compliance infographic.

Want to know more?

Click here to view SA Law's dedicated GDPR hub page for more practical information, views and insight from our expert teams. 

Download SA Law's Helpful Guide to GDPR

Click here to download SA Law's guide to the General Data Protection Regulation and find out how we can help you understand the new era of data protection.

Read our latest views & insight about the GDPR
Stained glass window
Views & Insights
ICO publishes final version of guidance on consent

Head of employment at SA Law St Albans, Chris Cook, discusses the ICO's guidance on consent

Read More
Stained glass window
Views & Insights
Employers feel unprepared for GDPR deadline

Partner Keely Rushmore comments in People Management on the GDPR and how companies weren't ready for the changes

Read More
Divorce and family law red chair
Views & Insights
EU data is slowing the divorce process

Head of family law at SA Law, Marilyn Bell examines how the GDPR could potentially add more complications to the divorce process

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR affects your mergers & acquisitions too

Acquiring or merging with another organisation means expanding the personal data you hold, whether related to employees, customers, suppliers or other…

Read More
Stained glass window
Views & Insights
GDPR for HR

Solicitor Emma Gross explains why HR professionals should revisit their data protection practices ahead of the GDPR

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR and Information Security: Are your employees trained to protect data?

With just a short while before the General Data Protection Regulation (GDPR) is implemented into UK law, there are many good reasons to check whether…

Read More
SA Law Red arrow neon light image
Views & Insights
What is the difference between ‘data controller’ and ‘data processor’?

It seems fair to say that most organisations are aware that they are subject to obligations under data protection laws and the extent to which they are…

Read More
SA Law Red arrow neon light image
Views & Insights
Charity worker fined for unlawfully obtaining personal data from his employer

Recent case highlights importance of obeying data laws after charity worker fined for misusing personal data.

Read More
GDPR Numbers Image
Views & Insights
GDPR: What should I be doing?

Following a successful run of GDPR compliance events, SA Law's Data & Privacy team share how you can start preparing for the GDPR.

Read More
Green and Red Lights
Views & Insights
GDPR: 12 key changes

Emma Gross explains the 12 key changes to data protection law you need to know.

Read More
Stained glass window
Views & Insights
Information Commissioner demystifies GDPR consent

Head of Employment & Data Chris Cook gives clarity on consent within the GDPR.

Read More
Stained glass window
Views & Insights
How to prepare for the GDPR

The GDPR comes into force on 25th May 2018, but organisations are recommended to start preparing for the changes as soon as possible to avoid non-compliance…

Read More
SA Law Red arrow neon light image
Views & Insights
ICO issues guidance on preparing for the EU General Data Protection Regulations (GDPR)

As many organisations will be aware, the existing EU data protection provisions are due to be reformed by the GDPR which is expected to receive formal…

Read More
Views & Insights
What every business needs to know about The General Data Protection Regulation

Legislative bodies in Europe have agreed radical reforms to European Union data protection guidelines but it will take time, money and careful planning…

Read More
Stained glass window
Views & Insights
ICO prosecutes company employees for unlawfully accessing client data

A former employee of Lex Autolease Ltd has been prosecuted and fined under section 55 of the Data Protection Act 1998.

Read More
Stained glass window
Views & Insights
ICO issues record £400,000 monetary penalty notice for TalkTalk data breach

The Information Commissioner has issued a record £400,000 monetary penalty notice to TalkTalk Telecom Group plc for failing to keep personal data secure.

Read More
Stained glass window
Views & Insights
Government introducing personal liability for directors for nuisance call fines

Amendments to the Privacy and Electronic Communications Regulations 2003, announced and to be introduced in spring 2017.

Read More
Stained glass window
Views & Insights
Government officially confirms adoption of the GDPR

On appearing before the Culture, Media and Sports Select Committee on 24 October 2016, the Secretary of State Karen Bradley MP, confirmed that the UK…

Read More
Stained glass window
Views & Insights
Departing employee convicted of taking client records before joining rival firm

Employees risk both criminal prosecution and civil action for unlawful use of information belonging to employers.

Read More
Intellectual Property, fonts
GDPR Assist
GDPR Definitions & Who's Who

Helping you get up to speed with everything GDPR

Read More
GDPR Numbers Image
Views & Insights
Fill in the details

Head of Employment and Data Chris Cook examines the importance of staff training when it comes to payroll and the looming GDPR.

Read More
SA Law commuters on London Bridge
Views & Insights
Data Protection Bill under challenge

Gemma Jones, Head of Immigration, explains the immigration exemptions within the upcoming GDPR

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR and Information Security: Are your employees trained to protect data?

With just a short while before the General Data Protection Regulation (GDPR) is implemented into UK law, there are many good reasons to check whether…

Read More
Banner image red car light moving
Views & Insights
Draft Data Protection (Charges and Information) Regulations 2018 and guide published

The draft regulations are of course, subject to Parliamentary approval but, given that there is limited time until the GDPR, they are unlikely to change.

Read More

© SA LAW 2018

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.