Sarah Lisgo, associate at commercial law firm, Square One Law talks about the myths and the compliance journey to GDPR.
The impending General Data Protecting Regulation (GDPR) is high on the agenda for many of our clients. We are working with them to help dispel myths, remove uncertainty and ultimately assist with their GDPR compliance preparation in a practical and cost effective way.
In today’s world personal data is being collected, processed and stored in ways not anticipated by the 1998 Data Protection Act. The GDPR legislates for our digital era and gives individuals greater control over their personal data and businesses a clear framework to abide by when handling this data.
Dispelling the myths
There seems to be a wide-spread misunderstanding that the GDPR only allows processing of personal data when individuals have given consent. In some circumstances this is the case, however, there are five other grounds for processing personal data lawfully. Frequently, one of these other grounds will be more suitable than consent. Organisations need to be sure that their analysis of the grounds for processing is accurate and documented to assist in demonstrating GDPR compliance.
A headline feature of the GDPR is the power of the Information Commissioner’s Office (ICO) to impose hefty fines on organisations in breach of their obligations (up to 4% of global annual turnover or 20 million Euros) and to order organisations to cease processing activities. However, the Information Commissioner has made it clear that fines will be proportionate to the breach. Companies are encouraged to be open and honest, and to report (where appropriate) breaches to the ICO within 72 hours of the data controller becoming aware of the breach. Not every data breach has to be notified to the ICO – if breach is unlikely to result in a risk to an individual’s rights and freedoms the breach does not need to be reported. Such risks might include discrimination, damage to reputation, financial loss or other social or economic disadvantage which might result from the breach.
In addition to fines, the ICO has a range of other sanctions at its disposal including warnings, reprimands and corrective orders. Although these sanctions are not monetary penalties they could cause significant reputational damage and interrupt business continuity.
Your compliance Journey
Key principles of the GDPR are accountability and transparency. Organisations must be transparent about their use of personal data and able to demonstrate their compliance with the legislation.
Whilst compliance with the GDPR is an on-going process, first steps include a data mapping exercise coupled with a review of current data protection policies and procedures, as well as a staff education programme and addressing cybersecurity issues. Data retention policies must be developed and it is important to have an incident response plan to identify and respond to any breach in a timely way. Depending on the activity of the business a data protection officer may need to be appointed.
It is also important that organisations understand the rights of individuals, for example their right to access information held about them and the so-called ‘right to be forgotten’. Organisations must be prepared to respond to such requests in accordance with the Regulations, including the prescribed time limits.
Compliance with data protection legislation may not seem like the most productive or exciting use of an organisation’s valuable time and resources. However, the time and cost spent on ensuring compliance is small compared to the potential financial and reputational risks if breached.
This ASK THE EXPERT article was produced by: Sarah Lisgo, Associate at commercial law firm, Square One Law