GDPR Requirements UK
Our lawyers have the ability to not only advise you on the legal framework of the GDPR but the practical implications and challenges you may face when trying to ensure your company becomes compliant. Through assisting in the firm’s internal process to become GDPR compliant as well as those of our clients, our lawyers have first-hand experience of the challenges faced and practical insights in ensuring compliance. We believe that this practical knowledge will be invaluable in ensuring that your company’s process to become compliant will be as smooth as possible.
The General Data Protection Regulation (GDPR) came into effect in the UK on 25 May 2018, strengthening existing legislation and creating new requirements for companies who control or process personal data. Our Quick Guide (The General Data Protection Regulation: A quick guide) sets out the full requirements and detail of the GPDR including the difference between data processors and controllers and their respective obligations and the individual’s rights.
Steps to be taken
It is important that your company considers the key requirements of the GDPR as far in advance of the May deadline as possible as set out below:
1. Carry out an audit of what personal data you hold and how you process it. Also to understand ongoing record keeping obligations and use of Privacy Impact Assessments for that purpose.
2. Check whether your contracts with data processors (in particular) contain GDPR compliant data protection clauses.
3. Ensure your business meets the GDPR standard for protecting personal data from a technological and organisational standpoint.
4. Ensure your marketing initiatives are GDPR compliant - particularly whether your consent wording that has been used to collect email address data sets for direct marketing is GDPR-compliant.
5. Ensure you have a GDPR-compliant data breach policy, privacy policy, set of terms of business and data retention policy.
6. Understand how you would comply with the new data subject rights (such as the right to have all personal data an organisation holds on you permanently erased - 'right to be forgotten').
7. Identify whether you are required to appoint a Data Protection Officer and, if so, whom you might appoint (the required qualifications are quite high).
8. Taking certain key steps to mitigate against the potential impact of an ICO audit.
If you would like to further discuss any of the information detailed above, please contact Joanne Gallagher, Head of Corporate & Commercial on 01322 623708 or at joanne.gallagher@ts-p.co.uk.
