• Peter Elliot

GDPR - Storm in a teacup or lasting change?

Its nearly six months since the GDPR (General Data Protection Regulations) came into law throughout the EU, rapidly followed by the UK Data Protection Act of 2018 which copies the GDPR apart from a few minor tweaks. The principles are the same, which makes perfect sense as personal data may be processed or transferred within Europe and we should all be on the same page, Brexit or not. It’s important to note that the last data protection act was 20 years ago and a lot has changed, specifically the abundance of data and companies seeking to exploit it.

Many small businesses took the view that GDPR is just another compliance task and put it on the priority list accordingly. The primary considerations with any compliance requirement are Risk and Consequence. It’s the law, and all businesses need to comply, but all business owners need to consider risk first and foremost. Taking an example from another compliance area, Health and Safety, its somewhat obvious that a business working with machinery on construction sites must put considerable effort into compliance, whereas a small office-bound business carries a lower risk, so the compliance workload will be a lot smaller. It’s the same with GDPR, any business that processes a large amount of personal data, such as an IFA or an e-commerce operation, should have already taken steps to protect their business against a data protection claim. However, probably 99% of businesses have a client list, this is personal data and is regulated by GDPR and compliance must at least be assessed. The extent of a GDPR project will depend on the assessed risk, but no business can ignore it altogether.

So what are the mains steps in a GDPR compliance project? Simply put, first identify your personal data and how it is processed. Second, assess your risk. Third, take steps to reduce your risk. That last step could involve reducing the quantity of data, ensuring you are lawfully processing the data, updating your privacy policy, putting processes in place to erase data when it is no longer required, educating your staff, improving your cyber and physical security and making sure you can respond to a data access request (SAR) from a client, customer or employee. In many cases clients and partners are asking for demonstrable compliance, and this may require reviewing contracts and writing and responding to letters.

There is no doubt that data protection law is here to stay and is changing the data use landscape. Many businesses have streamlined their personal data acquisition and storage and have ensured their privacy policies are transparent and honest. With the growing use and monetisation of our personal data this is good for us as individuals as we are all now better protected. But precisely because that awareness is growing amongst both the general public and employees there are dangers lurking for unprepared businesses. The ICO (Information Commissioners Office) will be sympathetic to businesses who have made an effort to comply, but the biggest sin is ignorance. Any business that loses personal data due to a virus, negligence or otherwise and has made no preparation for GDPR is likely to be fined, never mind the reputational impact.

Is GDPR still on your to-do list? GDPR is not going away, so rather than facing the position of uncontrolled risk and having to deal with a breach knowing you have done nothing, take a step in the right direction and speak to Empiric Partners today about how to protect your business. That initial conversation is of course free of charge and without obligation.

14 views0 comments

© 2020 Empiric Partners LLP