IS YOUR BUSINESS READY FOR THE GDPR?
On 25 May 2018, new rules governing the way in which organisations collect, use and process personal data will be introduced under the EU General Data Protection Regulation (GDPR).
This new legislation will have direct effect on all member states of the EU which include, for the time being, the UK. However, it is important to note that the GDPR will affect countries outside the EU as well as member states – it will apply to all organisations in the EU which control or process personal data and to all organisations outside the EU which control or process personal data of EU Citizens. Brexit will in most cases not affect the way in which the GDPR will apply to UK businesses.
While some aspects of the current data protection legislation will remain largely unchanged, there are some important new concepts and certain tasks from an operational and administrative perspective that are going to need to be handled differently or perhaps for some businesses, in a completely new way.
Broadly speaking if your business is subject to the Data Protection Act now, the GDPR is likely to impose increased liabilities and new, more onerous obligations from May 2018.
The new rules mean that organisations should be acting now to prepare for these new rules – there are significant steps that need to be taken to ensure organisations will be compliant by May 2018 – the Information Commissioner has already indicated that there will be no grace period for compliance after the GDPR comes into force.
For more information on the changes being introduced by the GDPR, please see our series of webinars. As new guidance is issued by the ICO and the EU Article 29 Working Party, we will be producing updates here, so please do check back regularly. In addition, please see the Information Commissioners Office website.
COMPLIANCE – HOW WE CAN HELP
Our data team is already advising clients on how to achieve compliance in time for the GDPR coming into force. We can assist you as you develop your own compliance project, or we can project manage the entire process, as required.
The first step is to carry out an audit of data flows to reveal:
- how your organisation captures, uses and processes personal data, including when you seek consent from data subjects (and equally as important, when you do not);
- what personal data you hold; and
- how you communicate to data subjects how their data is held, processed and used.
We have developed an initial questionnaire which you can download and complete. This incorporates the ICO recommended ‘12 steps to compliance’ to help get you started.
Once that exercise is complete, we can assist with conducting a gap analysis to identify those areas where changes would need to be introduced to ensure GDPR compliance.
From there we can help prepare a plan to implement the new procedures and policies required for compliance.
The plan will include the following:
- Assessment of whether there is a requirement (or a practical need) to appoint a Data Protection Officer (DPO)
- Helping to assess internal or external candidates for the DPO role
- Analysing what personal data is captured and whether it is appropriate for the required purposes
- Considering whether consents to use personal data has been/is being obtained where required, and in a compliant way
- Assessing security measures in place
- Developing processes for security breach notifications
- Exploring whether technical processes can be used to reduce risk
- Developing privacy impact assessment processes into your decision-making procedures
- Reviewing and updating data protection clauses in current contracts and templates
- Preparing data protection notices
- Training your Board and other personnel
We’re immensely proud of our client relationships. We strive to be a welcome and constant companion throughout their journeys.
Many of our clients have been with us for a long time: some since the firm began. We help them navigate matters to achieve the right outcome and we stay with them until everything has been resolved. By securing and protecting our clients’ interests, we give them the confidence and freedom to focus on their core business.
Our clients operate in different industries and sectors, but most of them have serious real estate interests, whether in the form of property in the traditional sense or other types of physical infrastructure.