Opinions and Legal Insights

GDPR Compliance: If you still have more to do … we have the experience to help you.

A good time to review where you are, produce an outline project plan and get started on the remaining tasks?

Earlier this year, the General Data Protection Regulation (GDPR) came into effect across the EU, enshrined in the UK as the Data Protection Act 2018. For the last two years at Atticus Technology, we have been helping businesses prepare for the new legislation and understand the benefits for the business and for clients.

It might be that you’re not quite there at the moment; or that you need to review where you are up to. It’s equally possible that you haven’t done much at all with GDPR as other business priorities drag you elsewhere. Many organisations are trying to work out what to do to stay compliant. The full text of the GDPR contains 99 articles running to over 200 pages, and it can be a challenge cutting through it all to identify the practical steps to take.

Measured approach to filling the gaps

The rush to be GDPR compliant by 25th May is over and we’re into prioritising and sorting out a plan now rather than panicking or ignoring things completely. The latest guidance from the Information Commissioner is “Don’t panic……….. the important thing is to take concrete steps to implement your new responsibilities — to better protect customer data.”

The GDPR journey as a whole can be troubling for many organisations. Whilst the legislation describes at length how it expects organisations to handle personal data and the rights that data subjects have in relation to that data, it’s noticeably agnostic and ambiguous around how all of this is to be implemented and managed.

There isn’t a silver bullet or panacea for the GDPR and the recent bombardment by ‘experts’ foretelling fines, reputational damage and other nasties has led to GDPR lassitude across the board. Businesses are moving further from compliance due to a lack of knowledge around how to tackle the GDPR pragmatically and practically.

In essence, complying with the General Data Protection Regulation is about systems and practices which are built to know where your data is, how it is used, who has access to it and the rights of the individual.

The three main themes of the GDPR are Transparency, Data Subject Rights and Accountability

  • Transparency

    – The GDPR expands the obligations of the business (as the Data Controller) and demands that organisations are clear to an individual as to what data is collected (and held), how it is processed and the individuals rights under the GDPR. And that this information is easily accessible.

  • Data Subject Rights

    – The GDPR introduces a number of new rights (erasure, portability) and strengthens existing rights around Fair   Processing, Subject Access Requests (SAR), Rectification of inaccurate records, rules around profiling and automated decisions, and other adjustments to rights.

  • Accountability

    – Under the GDPR Data Controllers are required to have appropriate systems and controls in place to manage data security, to allow for easy data management and care of the data and to manage the risks around holding the data.

This would include (for example) appropriate IT Security, a suitable set of policies and procedures including those for managing the key aspects of the GDPR and a comprehensive record of the data held by the Data Controller.

Putting these measures in place will demonstrate compliance. The GDPR has adopted a risk based approach to legislation called Privacy by Design – an organisation does not need to have a data breach or other incident – you can simply be prosecuted and fined for not ensuring that the most appropriate technical and organisational measures are in place to protect personal information.

Implementing GDRP is good for your practice – the benefits.

It’s important to move the focus away from what will happen if you don’t to what could happen if you do. There are many reasons why ‘doing things properly’ is beneficial – here are just a few:

  • The

    enhanced cybersecurity

    that forms part of the GDPR can often mean greater customer loyalty. At the very least a lack of cybersecurity means a lack of customers with recent surveys showing that 75% of customers would take their business elsewhere if an organisation was seen to be negligent;

  • Working through towards GDPR

    compliance will improve data management and accuracy

    minimising the data that you have to store and cutting costs and time spent working with inaccurate information;

  • Increase your return on investment from marketing

    . When they know their data is in order businesses will be able to create targeted materials based on correct data to engage clients that they can be sure are genuinely interested;

  • Boost client loyalty and trust – customer trust will improve and, more importantly, customer

    appetite for dealing online which in turn streamlines and drives down costs;

  • Establish a new business culture. GDPR

    compliance shows that you value your client’s data and respect their privacy

    . That’s a badge that a lot of people will be looking for.

So, where should you start?

Our experience is that a business should carry out a thorough gap analysis to understand how far away it is from best practice in line with the GDPR. An objective, independent review of your practice will identify, prioritise and then offer guidance on how best to deal with the key gaps and risks that you will need to address.

Our

gap analysis audit and report

looks individually at each of the 99 articles of the GDPR and provides comment on all that are relevant; it also works through the constituent policies and procedures of a data governance framework to compare with the ones you currently have in place. Finally, a basic outline of an Information Asset Register is included covering your main systems.

When the report is complete the areas that the gap analysis is likely to highlight to different extents based on your current working practices are:

  • Compiling an

    information asset register

    through an audit of your systems. And recording information around the basis for processing, access and data retention for each of these systems;

  • Compiling (or updating)

    a meaningful set of policies/procedures

    and an overarching Information Governance Framework;

  • Promoting

    awareness of the GDPR and data security

    through information and training. This can only happen once the policies and procedures are in place;

  • Work around Article 32 of the GDPR which relates to

    IT Security and systems capability

    ;

  • Other actions around, for example,

    lawfulness of processing, consent and privacy

    which would be identified during the gap analysis.

It is important to get this first phase right as the follow up and remedial work could be significant in terms of time and investment. If your focus is wrong then this will be wasted and you might not end up much nearer to compliance.

Next Steps

Wherever you are in your GDPR journey we can help you through fairly priced, effective and pragmatic consultancy. The GDPR is not a checkbox exercise; it’s not just about technology and it’s not just about operational practices.

We know that not every business has a dedicated, trained expert to keep up with it all. Even those that have a resource in place sometimes need additional support. We also understand that budgets can be tight and that every penny of spend needs to be justified. For that reason we offer the gap analysis to target specifics and give you a firm idea of what needs to be done. You can then take as much or as little help from us as you require.

Perhaps now would be a good time to review where you are, produce an outline project plan and get started on the remaining tasks. Demonstrating a will to work towards compliance is the best option!

Contact



Frank Manning



at







fmanning@inpractice.co.uk



or on 07778 572420