back to homepage

Why is GDPR So Important?

The General Data Protection Regulation came into force in May 2018, and will, we believe, change businesses view of personal data forever. It comes with it financial penalties and in some cases personal Director liabilities-something none of us can take lightly. Whilst the predecessor to the UK’s Data Protection Act (2018) lack bite, this certainly isn’t the case with GDPR.

The ICO (DPA in the UK) and other DPA’s across Europe, now PUBLISH their Court successes on their website, publicly chastising the offending companies. Whilst you may be able to afford the penalties, publicity surrounding Personally Identifiable Information (‘PII’) data isn’t something any of us needs.

The GDPR is here to stay, and its impacts will continue to be felt through all of those companies that just pay lip service to it. The ICO has already confirmed that they will proactively support Class Actions after a successful prosecution.

The GDPR Institut has developed a 15 Step process to deliver a successful GDPR process, if you feel that would be useful, just click here.

The following steps will also provide guidance on how to be compliant with the GDPR:

  • Assess current Data systems, policies and procedures
    • Be aware of what kind of data is held, where it is stored and how it is protected. What kind of software and technology is in place to protect data?
    • Review the current data-related policies and procedures, including encryption, remote access, mobile devices, sensitive information, HR exit procedures, third parties and data breach notifications.
    • Consider requesting a third-party data security company to carry out an objective assessment.
  • Identify risks and gaps to meet the GDPR requirements
    • Are the current systems, policies and procedures adequate to protect data? Are there any risks of data breaches?
    • Individuals’ rights – are there systems in place to transfer personal data to other companies and to delete personal data if requested?
    • Are requests for permission to use customers’ personal data clear on the purpose and period of time?
  • Identify solutions
    • Research suitable solutions for any identified risks or gaps.
    • Solutions must be implemented as soon as possible given the GDPR is already in force.
  • Designate a Data Protection Officer or lead contact
    • A DPO can be appointed if mandatory for the business, or an internal lead contact person can be appointed for data protection initiatives and to communicate with the Data Protection Authority if required.
    • The DPO or lead contact should communicate with senior management to discuss data protection strategies and for approval.
  • Staff training and awareness
    • Ensure that staff are aware of the importance of data protection and any new/amended processes to comply with the GDPR.
    • Ensure internal teams communicate with each other to maintain data protection, such as IT, Security, Legal and Compliance teams.