Find out more about what Bright Solicitors are up to and what's currently happening in the industry.

GDPR Newsletter

  • Posted: 19-01-2018
  • Commercial/Business

GDPR stands for the General Data Protection Regulations. These regulations originate in the EU and will replace the existing Data Protection Act.

• They will come into force on 25th May 2018

• Brexit will have no effect on the GDPR – the Government has committed to ensuring they take effect in the UK.

• Main purpose – giving data subjects (individuals) greater control over their personal data.

• Affects all businesses holding personal data – not just client/prospective client data but also eg employee data.

• Myth number one – it doesn’t affect me I am a small business (it affects all businesses).

• Myth number two – it doesn’t affect me I only sell to other businesses (it affects all personal data held by a business eg if you sell to ABC Ltd you will be dealing with a person there whose personal details – name. address, email etc – you will hold; if you have employees you hold employee data; if you recruit you hold prospective employee data).

• The key requirement is to “demonstrate compliance”. It is no longer enough just to make a decision, you will now need to document what you considered when making the decision (the legal basis for processing); what decision you made, why etc.

• This will affect all processes, procedures and documents that affect or are affected by data processing.

• Documents that might need to be drafted/reviewed include:

o Privacy policy (website) o Fair dealing policy (data protection policy for employees) o Fair dealing policy for prospective employees o Data breach response plan

• Data cleansing should take place before May – i.e. get rid of any data you no longer need, but get rid of it safely to ensure no privacy breaches.

• Marketing databases are a particular concern – opting out of emails/contact is no longer enough, data subjects have to opt in. A double opt in is needed if you are to be safe under the GDPR ie the data subject needs to click on an email/complete a form AND THEN ALSO confirm that instruction by clicking in a link in a follow up email.

• All employees handling data will need training.

• This is an ongoing process that needs to be kept under review – it is not a one time only compliance exercise.

• Sanctions are either 4% of worldwide turnover or 20 million Euros, whichever is the greater.

What is Bright doing to help?

• We are providing free of charge a data mapping exercise for clients/prospects to complete. This is a time consuming but necessary first step to ensure the business knows what data it holds, where, why, who has access to it, who it is shared with etc.

• When the data map is returned to us we evaluate where the gaps are and quote to implement the necessary reviews, documents etc

What should businesses do?

• Take it seriously – appoint someone to take the lead on compliance, devote time and resource to it.

• Speak to us (of course) and complete a mapping exercise to start with

The message

• Do not panic but do prepare.