0345 300 6256 To arrange a free, no obligation meeting
Navigation Search
0345 300 6256
To arrange a free, no obligation meeting

Not too late to deal with GDPR

25 May 2018

Although businesses are becoming increasingly aware that they must comply with the General Data Protection Regulation (GDPR), which comes into force in the UK on the 25th of May 2018, many – particularly smaller ones – still have their work cut out to do so on time.

But the key message is not to panic. The Information Commissioner’s Office, which enforces the legislation, is unlikely to penalise those who don’t have everything in place by the day of the deadline. It will expect to see plans to introduce GDPR into company culture but realises that training and documentation may not be complete.

It is also important to appreciate that many of the requirements of GDPR are already likely to be in place, because the legislation builds on the existing UK Data Protection Act (DPA) 1998 –by strengthening rules around personal data, requiring organisations to be more accountable and transparent and giving employees greater control over their own data.          

There are, however, some major differences with the DPA which employers should ensure that they take on board.

Fines under the GDPR are potentially much higher, up to a maximum of Euros 20 million or 4% of annual global turnover, and the concept of accountability is also greater – with organisations required to implement appropriate technical and organisational measures and to maintain documentation demonstrating the actions taken to do so.

The ‘right to be forgotten’ is built on as well. Employees and customers now have the power to request the deletion or removal of personal data and, in certain circumstances, businesses are obliged to comply. 

Data portability is also officially introduced into EU law and data subjects are given a new right to obtain their personal data and reuse it as they wish. Organisations must comply with their requests, providing they meet specific criteria, and provide this information in a suitable format.          Additionally, GDPR includes an all-new requirement to notify regulators of any breaches that occur at the earliest opportunity and to inform the individuals concerned if there is a high risk to their rights and freedoms.

Employers should also be aware that Chase de Vere, which has had a full project team working on GDPR for the last 12 months, will be contacting them to update its standard corporate service level agreements. Data “processors” like ourselves are now subject to specific legal obligations regarding the maintenance of records of personal data and other processing activities.   

We would, however, like to assure you that we are making it a high priority to ensure that the administrative inconvenience is kept to an absolute minimum.  Having ourselves completed a significant number of client GDPR questionnaires, we are conscious that the standard of these has been extremely variable.  

Some checklist questionnaires have been very detailed – probably far too detailed in our view. Others have been far more reasonable, involving less than 20 pertinent and unambiguous questions.  

Chase de Vere has already reviewed all its internal and external processes for GDPR purposes and is confident that it will be fully compliant by the deadline. We are aware that we have greater internal resources than many of the small businesses we deal with but feel that, in view of the range of free tools available out there, the task is not beyond even the smallest of them.  

In particular, the ICO has a website ( www.ico.org.uk) which contains a range of resources for organisations employing under 250 people and offers a useful dedicated advice line for SMEs to provide additional personal advice for those who still have questions about the GDPR – Tel: 0303 123 1113, (then select option 4).

The helpline can also answer questions on current data protection rules and other legislation regulated by the IC0 – including electronic marketing and freedom of information.

So any business owner that is beginning to get a little uptight in the knowledge that they are still somewhat behind with legislation they have heard can involve massive fines for non-compliance should realise that it’s far from being too late.  

In our experience the ICO tends to be eminently reasonable with those who are clearly trying, even if they haven’t yet dotted all the I’s and crossed all the T’s.