<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">

Elizabeth Denham, the UK's Information Commissioner, has accused the media of scaremongering by focusing too much on the fines that may be imposed once the General Data Protection Regulation (GDPR) comes into effect on May 25th.

While the numbers are certainly eye-catching (up to €20 million or 4% of global annual turnover under GDPR), Denham argues that this obsession is distracting and simply not true: "This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that."

Denham insists:

  • The ICO will not impose maximum fines early on, for minor breaches or just to set an example of firms
  • Imposing fines is always a last resort - the evidence backs this up (out of 17,300 cases in 2016/7, fines were imposed on just 16 organisations)

But, let's not forget… the ICO has a variety of other weapons at its disposal - warnings, reprimands and corrective orders, with the potential to inflict significant damage on a company's reputation. It's not just the money! Are you ready?

Follow these tips to safeguard your reputation and prepare for GDPR:

prepare for gdpr

  1. Set the tone from the top - Demonstrate your commitment to data protection at the highest level with statements made by the CEO and Board. This sends a clear message to everyone that it should be taken seriously and matters.
  2. Start documenting - Start documenting what personal information you collect, use, store and share with other people; map those areas which will have the greatest impact on your operations and hence require most work. This is a good starting point for the Data Protection Impact Assessment.
  3. Review and document legal basis - What legal basis do you rely on currently for collecting and using personal information? Is your processing fair? Remember, where you rely on consent, then individuals will have much stronger rights.
  4. Review and update your privacy policy and notices - Review and update your privacy policy and notices (including how and when they are communicated); in most cases, you should already state your identity and explain how you intend using personal data; under GDPR you'll also need to state your legal basis for processing data, what retention periods apply and their right to complain to the ICO.
  5. Check individual rights - Check that your current procedures address all individuals' personal rights - especially the new rights of erasure ("to be forgotten") and portability; make sure that you have a legitimate right to store personal data - remember, it's down to you to demonstrate that your legitimate interests override the interests of data subjects; consider how you should deal with anyone who objects to any legitimate rights to store personal data.
  6. Review procedures on subject access requests - After 25th May, you'll only have one month to respond to all SARs. Are changes needed to speed up your response; what arrangements are in place for handling more complex requests (for example, to improve your communication with anyone making such requests)?
  7. Review and update consent - How do you currently obtain consent? Are you able to prove in all cases currently that you have consent to process personal data? If not, how should you plan to document the consent you have?
  8. Be proactive and aim for data protection by design - Going forward, how might you integrate data protection in all your processes from the start to minimise the risks of breaches and ensure all of your processing is fair and legal? Have you carried out and documented Data Protection Impact Assessments (DPIAs) or Privacy Impact Assessments (PIAs) to strengthen protections for individuals? Look at all the 'touchpoints' where you request, use, store and transfer personal data; what processing do you carry out; what legal basis applies, and so on?
  9. Appoint a dedicated Data Protection Officer - If you haven't done so already and make them responsible for data protection compliance right across the organisation. Consider how they will operate within your existing organisational structure, the responsibilities they should have (i.e. liaising with regulatory bodies, board-level reporting, providing training, etc), and governance issues.
  10. International transfer issues - Where your operations are global or cross-border in nature, you'll need to determine which data protection supervisory authority you come under; whether there are binding corporate rules covering intra-group international data transfer (or whether there should be); and if there is adequate training to educate employees on what transfers are and aren't acceptable? What support or advice is available to help them make the right decision? How is consent obtained for international transfers and are individuals made fully aware of the risks at the time of consent?

Leave a comment

Tick

eBook: Essential Uncovered

Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

Download now

How to Manage the Compliance Personas in Your Company

Rory has no time for rules, especially the pointless ones that add a lot of work for no apparent benefit. When he encounters such rules, his first thought is to find a work-around. Andy doesn't mind ...

Read More
FCA Compliance News - November 2018

An overview of the most recent and upcoming changes to FCA guidelines for senior managers...   Regulatory Update The last six weeks have been a very busy time for the UK regulators, with both the ...

Read More
Compliance Essentials News - November 2018

This blog is dedicated to bringing you the news that touches the people dimension of regulatory compliance. It's not only about regulations, policies, procedures and systems. It's also about people, ...

Read More
Getting personal: five ways to engage staff with compliance training

It's an on-going struggle for most companies to engage their staff with compliance training. There's a constant stream of new regulations and tweaks to existing ones. And many of these require ...

Read More