<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Login
    Get started

    10 tips to safeguard your reputation post-GDPR

    Published on 02 Jan 2018 by Lynne Callister

    Elizabeth Denham, the UK's Information Commissioner, has accused the media of scaremongering by focusing too much on the fines that may be imposed once the General Data Protection Regulation (GDPR) comes into effect on May 25th.

    While the numbers are certainly eye-catching (up to €20 million or 4% of global annual turnover under GDPR), Denham argues that this obsession is distracting and simply not true: "This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that."

    Denham insists:

    • The ICO will not impose maximum fines early on, for minor breaches or just to set an example of firms
    • Imposing fines is always a last resort - the evidence backs this up (out of 17,300 cases in 2016/7, fines were imposed on just 16 organisations)

    But, let's not forget… the ICO has a variety of other weapons at its disposal - warnings, reprimands and corrective orders, with the potential to inflict significant damage on a company's reputation. It's not just the money! Are you ready?

    Follow these tips to safeguard your reputation post-GDPR

    prepare for gdpr

    1. Set the tone from the top - Demonstrate your commitment to data protection at the highest level with statements made by the CEO and Board. This sends a clear message to everyone that it should be taken seriously and matters.
    2. Start documenting - Start documenting what personal information you collect, use, store and share with other people; map those areas which will have the greatest impact on your operations and hence require most work. This is a good starting point for the Data Protection Impact Assessment.
    3. Review and document legal basis - What legal basis do you rely on currently for collecting and using personal information? Is your processing fair? Remember, where you rely on consent, then individuals will have much stronger rights.
    4. Review and update your privacy policy and notices - Review and update your privacy policy and notices (including how and when they are communicated); in most cases, you should already state your identity and explain how you intend using personal data; under GDPR you'll also need to state your legal basis for processing data, what retention periods apply and their right to complain to the ICO.
    5. Check individual rights - Check that your current procedures address all individuals' personal rights - especially the new rights of erasure ("to be forgotten") and portability; make sure that you have a legitimate right to store personal data - remember, it's down to you to demonstrate that your legitimate interests override the interests of data subjects; consider how you should deal with anyone who objects to any legitimate rights to store personal data.
    6. Review procedures on subject access requests - After 25th May, you'll only have one month to respond to all SARs. Are changes needed to speed up your response; what arrangements are in place for handling more complex requests (for example, to improve your communication with anyone making such requests)?
    7. Review and update consent - How do you currently obtain consent? Are you able to prove in all cases currently that you have consent to process personal data? If not, how should you plan to document the consent you have?
    8. Be proactive and aim for data protection by design - Going forward, how might you integrate data protection in all your processes from the start to minimise the risks of breaches and ensure all of your processing is fair and legal? Have you carried out and documented Data Protection Impact Assessments (DPIAs) or Privacy Impact Assessments (PIAs) to strengthen protections for individuals? Look at all the 'touchpoints' where you request, use, store and transfer personal data; what processing do you carry out; what legal basis applies, and so on?
    9. Appoint a dedicated Data Protection Officer - If you haven't done so already and make them responsible for data protection compliance right across the organisation. Consider how they will operate within your existing organisational structure, the responsibilities they should have (i.e. liaising with regulatory bodies, board-level reporting, providing training, etc), and governance issues.
    10. International transfer issues - Where your operations are global or cross-border in nature, you'll need to determine which data protection supervisory authority you come under; whether there are binding corporate rules covering intra-group international data transfer (or whether there should be); and if there is adequate training to educate employees on what transfers are and aren't acceptable? What support or advice is available to help them make the right decision? How is consent obtained for international transfers and are individuals made fully aware of the risks at the time of consent?

    Want to know more about GDPR?

    As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.

    If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!

    Leave a comment

    Tick

    eBook: Essential Uncovered

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Download now

    5MLD is Coming: Threat or Opportunity?

    Many cryptocurrency firms will feel that more money-laundering regulations are a hindrance to their agile business models, but perhaps they should try and see the opportunities too? The appeal of ...

    Read More
    Skillcast Giving Back

    Skillcast promotes ethical behaviour not only to our customers but to society in general. We do this through education, charitable donations and managing our impact on the environment. We help ...

    Read More
    Achieving SM&CR Compliance The Right Way

    The extension of the Senior Managers and Certification Regime (SM&CR) to FCA solo-regulated firms takes place on 9th December 2019 it's more important than ever for firms to appreciate the spirit of ...

    Read More
    Award-winning E-Learning & Customer Service

    So proud to receive not one, but two Compliance Register Platinum awards, for Best Training Firm and Outstanding Firm of the Year! Recognition for the Skillcast team's hard work. Skillcast helps ...

    Read More