Here we go again, another GDPR blog post! I have been getting a huge number of enquiries about GDPR, hopefully that means people are starting to take on board how drastically these changes may impact us. I’m moving on now to talk about implementation. What real steps can be taken at this point? Read on…
Risk Based Approach – Internal issues
Having worked as an in house lawyer for a number of years, I always recommend that the business take a risk based approach to matters. Money, time and resources are always tight so deal with the big risks first.
It’s important to identify what data is covered, what’s the legal basis for processing it, internal security, how it can be accessed/deleted/transferred as required (IT?), client / employee consents etc. These are all matters that are relatively within the control of the company so policies, handbooks, training can be sorted as required.
Make sure there is someone who is accountable for sensible steps to ensure the company’s compliance. Consider if a Data Protection Officer needs to be appointed.
Reputation is key in the marketplace and demonstrating compliance is essential!
Risk Based Approach – External third parties
To my mind, a proportionate risk based approach here would be sensible. Who are the key third parties? Who are the key suppliers? What is the contractual relationship between the company and that third party. Ask yourself if contracts be tweaked to take this new legislation into account?
I would also look at the volume of business with the third party. If you have key suppliers who are processing a lot of data – they will be data processors. If this is the case – it would be prudent to drill down into what their GDPR compliance position is. Who is their DPO, show us the policies etc., get signed acknowledgement (annually?) that they are adhering to their own policies. How far you go will depend on the risk they pose. Perhaps a tiered approach would be sensible? The Regulators are likely to take a sensible approach and we can give advice on the matter if you need it.
These are just SOME of the steps that you might consider taking. Every case turns on its own facts as to what steps are sensible.
GDPR – ICO
GDPR comes into force on 25 May 2018 but the ICO are still yet to produce their final guidance (expected around December). Having said that, I personally find the new GDPR Regulation quite clear in its approach so it is definitely possible to have a fairly clear picture of how GDPR fits into the business prior to the end of the year. Given the Regulations make it clear that they are to apply to SMEs as well as global businesses (eg. Google), common sense dictates that the steps to be taken will vary between the two and should also take into account the sensitivity of the data being processed. Money, time and resources should be proportionately deployed.
Ultimately, you are working to a position that in the event of challenge by the ICO – you will be able to show that your company took sensible, proportionate steps to ensure compliance with the Regulations.
So there you have it, people! I hope this blog has helped you think more about your own situations and what steps you could be taking.
As always, please contact us at firstname.lastname@example.org if you need advice on this matter or any others.