I am sure you have all seen countless GDPR guidance articles, with varying degrees of accuracy and scare-mongering, over the last 12 months.
There have been a few very high profile fines issued in the last 12 months, including a recent fine for the “Vote Leave” organisation. For the most part, these still relate to actions taking place before GDPR came into force, as it usually takes around 12 months for the ICO to complete a substantial investigation. We should therefore be seeing the first “batch” of GDPR-based decisions and fines soon.
The purpose of this article is to recap the fundamentals of GDPR, as I know that a lot of organisations, both large and small, still haven’t got to grips with their GDPR obligations. I thought I would set this article out a little differently, by going through the classic list of questions:
- Who – GDPR applies to almost every business, large or small. It also applies to the vast majority of charities, clubs and societies – I recently produced GDPR documentation for a children’s swimming club, for example.
- What – there is a very common misconception in this respect; GDPR is not solely (or even mostly) concerned with consent to marketing emails. It covers everything about personal data – how you collect it, what you do with it, who you share it with, and what rights the data subject has. Remember that “data subject” is not limited to your customers – it could equally by your suppliers, employees and so forth.
- When – GDPR came into force on 25 May 2018. We were all expected to be compliant by that date – but if you are not, it should now be a priority. In terms of business life-cycle, it is much more straightforward to get a grip on this topic at an early stage than to “bolt on” GDPR compliance after you have grown substantially.
- Why – you will all have seen reference to enormous fines for non-compliance. You may even have received sales pitches trying to frighten you into paying for a compliance package on the basis of apocalyptic warnings. Whilst it is true that huge fines may apply for certain types of wrongdoing, they are not the norm. The bigger risk for most businesses who have made a sensible effort at compliance is a time-consuming investigation by the Information Commissioner, and the damage to reputation of a public finding of bad practice. The best way to mitigate the risk of a financial penalty is to take early and sensible advice about your policies and practices, and to follow that advice – before anything goes wrong!
- Where – You may have noticed something called Brexit in the news. I have been asked quite a few times why people should bother with GDPR, if we are likely to be leaving the EU soon anyway. There is a simple answer to this – GDPR has been incorporated into domestic UK law, so even if Brexit does happen (not a political comment!) similar rules will continue to apply in the UK.
- How – There are really three schools of thought on how to comply with GDPR:
- Do it yourself – you may or may not have the skills to do so. I would suggest you consider though whether you would do your own legal work in other areas – would you do your own conveyancing? Would you write your own will? Why is GDPR compliance any different?
- Google a “GDPR Expert” – There is a broad range of abilities and fees amongst the self-proclaimed experts advertising online. I am sure that some know their stuff, and are adequately insured. Many are not. By way of analogy, I could market myself online as an expert on sausage-making – it wouldn’t make it true!
- Advice from a solicitor – I am a little biased here(!), but in my view there is no substitute for comprehensive advice from a qualified and insured solicitor. If you end up the subject of an Information Commissioner investigation, it will undoubtedly strengthen your mitigation if you have obtained and followed appropriate legal advice on the subject – it shows that you have taken compliance seriously.
I hope that the alternative layout of this GDPR guidance helped you to understand more clearly what your business requires in this area. Please give me a call or send me an email if you would like to discuss further how I can help your business with GDPR compliance.