By Michael McGeary
There may not have been any cakes and candles from Teesside’s business community to mark GDPR’s first birthday, but one expert says the anniversary is a good opportunity to ensure policies and procedures are up to date.
The complex EU law – the General Data Protection Regulation to give it its full title – heralded a multitude of PowerPoint presentations and had more than a few bosses pressing the panic button in the months before finally coming into force on May 25, 2018.
Now, one year on, Elaine McLaine-Wood, managing partner and head of the commercial department at long-established Teesside law firm Punch Robson, is advising everyone to take steps to ensure they are still meeting its requirements.
Not everyone has switched off, however – Elaine recently read that more people search for GDPR on Google than for Beyonce or Kim Kardashian!
“The conversation may have shifted away from GDPR and you may think it’s business as usual, but people need to be aware they still have to comply,” she says.
“Given that this was by far the biggest shake-up of data protection regulations to date, it’s a good idea to take stock, reflect and look at what’s changed.
“A lot of people panicked and many organisations weren’t ready because of the practical requirements and the fact that the guidance wasn’t very clear, and there have been a number of challenges, which some are still working through now.”
Before last May’s changes, the Data Protection Act 1998 was the key piece of legislation in this area. GDPR, however, ushered in a far more radical and stricter regime.
“One of the key changes was to the right of individuals to be informed of any personal information held about them, which is known as a subject access request. Most organisations already had experience of this because anyone could make such a request under the Data Protection Act.
“But now you only have one month to respond and you can’t charge for the information. What’s more, requests can now be verbal, so someone can just ring up, whereas previously they had to be put in writing. You can also ask for your data to be deleted.”
Elaine says it’s essential for all organisations to know whether they are a “data controller” – who determines how data is processed – or a “data processor”, who handles data on behalf of the controller and is subject to far fewer legal obligations.
“As a firm, we process and control data, and we have to be transparent to our clients about how long we hold that information and what we use it for. All organisations have to do that, even if it’s just someone’s name and address.
“It’s also important to make sure that when you deal with another organisation – for example, if an organisation works with a third party body – there’s a data-sharing agreement in place stating very clearly and specifically the reasons information is held and how it will be used and that everyone signs up to this and complies.
“If there are two parties and one controls the information and the other processes it, it’s about identifying who does what and ensuring there’s a contract between them.
It’s not cheap to comply, so it’s important to make sure who pays for it is covered in the contract.
“Companies should issue GDPR policies to their staff so that when they leave, they know how long their information will be kept for and what it will be used for. They should also have privacy policies in place, which should be shared and transparent.”
The maximum fine for a breach of GDPR is 4% of the company’s annual turnover or 20 million euros, which underlines the seriousness of these laws.
“With the penalties being so severe, it’s vital that record keeping is exact in case you’re ever investigated. Everyone has to buy into GDPR, not just the bosses and owners of the organisations. All employees should understand the issues.”
Another change is the onus on organisations to self-report any breaches to the Information Commissioner’s Office (ICO).
“You need to know what you should report and if in doubt, get advice. If you’re a regulated industry, such as a law firm or doctor’s practice, you may have a duty to report the breach to the Law Society or General Medical Council, as well as to the ICO.”
Additional guidance is continually being issued by the ICO, while there are also ongoing uncertainties, such as the impact of Brexit and the potential overlapping of competing data protection regimes.
“Businesses need to be alert and the message is to invest in continued compliance,” says Elaine. “It’s about continually keeping abreast of the latest information and ongoing staff training.
“Perhaps you could delegate someone to keep up to speed with developments and then the rest of the staff can focus on their daily duties. It might be wise to have an annual review of your policies and terms and conditions and if there are any senior staff changes, make sure the new person understands the importance of GDPR within your organisation.
“A lot of it is just good practice. But if people have taken their eye off the ball, they need to be looking at it again.
“So far, more larger companies have been investigated than smaller ones. But it’s still important for smaller companies to comply because all it takes is one disgruntled employee or customer to make a complaint and it could be extremely costly for your business.”
Punch Robson was established in 1877 and has offices in Ingleby Barwick and Coulby Newham.
For more information, call 01642 754050 or visit punchrobson.co.uk.