<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Login
    Get started

    Elizabeth Denham, the UK's Information Commissioner, has accused the media of scaremongering by focusing too much on the fines that may be imposed once the General Data Protection Regulation (GDPR) comes into effect on May 25th.

    While the numbers are certainly eye-catching (up to €20 million or 4% of global annual turnover under GDPR), Denham argues that this obsession is distracting and simply not true: "This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that."

    Denham insists:

    • The ICO will not impose maximum fines early on, for minor breaches or just to set an example of firms
    • Imposing fines is always a last resort - the evidence backs this up (out of 17,300 cases in 2016/7, fines were imposed on just 16 organisations)

    But, let's not forget… the ICO has a variety of other weapons at its disposal - warnings, reprimands and corrective orders, with the potential to inflict significant damage on a company's reputation. It's not just the money! Are you ready?

    Follow these tips to safeguard your reputation post-GDPR

    prepare for gdpr

    1. Set the tone from the top - Demonstrate your commitment to data protection at the highest level with statements made by the CEO and Board. This sends a clear message to everyone that it should be taken seriously and matters.
    2. Start documenting - Start documenting what personal information you collect, use, store and share with other people; map those areas which will have the greatest impact on your operations and hence require most work. This is a good starting point for the Data Protection Impact Assessment.
    3. Review and document legal basis - What legal basis do you rely on currently for collecting and using personal information? Is your processing fair? Remember, where you rely on consent, then individuals will have much stronger rights.
    4. Review and update your privacy policy and notices - Review and update your privacy policy and notices (including how and when they are communicated); in most cases, you should already state your identity and explain how you intend using personal data; under GDPR you'll also need to state your legal basis for processing data, what retention periods apply and their right to complain to the ICO.
    5. Check individual rights - Check that your current procedures address all individuals' personal rights - especially the new rights of erasure ("to be forgotten") and portability; make sure that you have a legitimate right to store personal data - remember, it's down to you to demonstrate that your legitimate interests override the interests of data subjects; consider how you should deal with anyone who objects to any legitimate rights to store personal data.
    6. Review procedures on subject access requests - After 25th May, you'll only have one month to respond to all SARs. Are changes needed to speed up your response; what arrangements are in place for handling more complex requests (for example, to improve your communication with anyone making such requests)?
    7. Review and update consent - How do you currently obtain consent? Are you able to prove in all cases currently that you have consent to process personal data? If not, how should you plan to document the consent you have?
    8. Be proactive and aim for data protection by design - Going forward, how might you integrate data protection in all your processes from the start to minimise the risks of breaches and ensure all of your processing is fair and legal? Have you carried out and documented Data Protection Impact Assessments (DPIAs) or Privacy Impact Assessments (PIAs) to strengthen protections for individuals? Look at all the 'touchpoints' where you request, use, store and transfer personal data; what processing do you carry out; what legal basis applies, and so on?
    9. Appoint a dedicated Data Protection Officer - If you haven't done so already and make them responsible for data protection compliance right across the organisation. Consider how they will operate within your existing organisational structure, the responsibilities they should have (i.e. liaising with regulatory bodies, board-level reporting, providing training, etc), and governance issues.
    10. International transfer issues - Where your operations are global or cross-border in nature, you'll need to determine which data protection supervisory authority you come under; whether there are binding corporate rules covering intra-group international data transfer (or whether there should be); and if there is adequate training to educate employees on what transfers are and aren't acceptable? What support or advice is available to help them make the right decision? How is consent obtained for international transfers and are individuals made fully aware of the risks at the time of consent?

    Want to know more about GDPR?

    As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.

    If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!

    Leave a comment

    Tick

    eBook: Essential Uncovered

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Download now

    The Risk Perception and Employee Misconduct Gap

    A recent Skillcast survey has highlighted the significant gap between the incidence of misconduct observed by employees at UK firms, and the risk perception of decision makers.  Key finding From our ...

    Read More
    UK Corporate Compliance Survey

    Why did Skillcast conduct a survey? Skillcast is the leading provider of corporate compliance e-learning and tools to companies in the UK, ranging from FTSE100 giants to small and mid-sized ...

    Read More
    Meet Skillcast at Learning Live 2019

    About Learning Live 2019 Learning Live brings together over 500 learning leaders for two days of facilitated group activities and networking tackling the challenges of workplace learning. Uniquely, ...

    Read More
    Success Stories: Royal Mail Serious Games

    Royal Mail, the pre-eminent delivery company in the UK were looking to further embed compliance within their business. Skillcast Serious Games was their ideal solution. Solution An online compliance ...

    Read More