GDPR Requirements UK
Our lawyers have the ability to not only advise you on the legal framework of the GDPR but the practical implications and challenges you may face when trying to ensure your company becomes compliant. Through assisting in the firm’s internal process to become GDPR compliant as well as those of our clients, our lawyers have first-hand experience of the challenges faced and practical insights in ensuring compliance. We believe that this practical knowledge will be invaluable in ensuring that your company’s process to become compliant will be as smooth as possible.
The General Data Protection Regulation (GDPR) will come into effect in the UK on 25 May 2018, strengthening existing legislation and creating new requirements for companies who control or process personal data. Our Quick Guide (The General Data Protection Regulation: A quick guide) sets out the full requirements and detail of the GPDR including the difference between data processors and controllers and their respective obligations and the individual’s rights.
Steps to be taken
It is important that your company considers the key requirements of the GDPR as far in advance of the May deadline as possible as set out below:
1. Carry out an audit of what personal data you hold and how you process it. Also to understand ongoing record keeping obligations and use of Privacy Impact Assessments for that purpose.
We can provide you with audit questionnaire documentation and advice on how to implement the audit based on our internal experience of auditing personal data processing at Thomson Snell & Passmore, as required by the GDPR. Also providing an explanation of what ongoing record keeping obligations apply and a template Privacy Impact Assessment with advice on how it should be implemented.
2. Check whether your contracts with data processors (in particular) contain GDPR compliant data protection clauses.
Thomson Snell & Passmore can provide you with an example set of clauses that are required as a minimum under the GDPR and an explanation of the GDPR principles needing application to such contracts.
3. Ensure your business meets the GDPR standard for protecting personal data from a technological and organisational standpoint.
We can explain, with examples, the GDPR requirements around keeping personal data secure within your organisation.
4. Ensure your marketing initiatives are GDPR compliant - particularly whether your consent wording that has been used to collect email address data sets for direct marketing is GDPR-compliant.
Our lawyers can explain the GDPR requirements around consent as they apply to marketing and other operations and where necessary proposing methods for data cleansing to help avoid data sets having to be abandoned from May 2018.
We can amend existing documents or provide new versions as necessary. Advice around data breaches includes helping with your reporting requirements as well as with remediation steps.
6. Understand how you would comply with the new data subject rights (such as the right to have all personal data an organisation holds on you permanently erased - 'right to be forgotten').
Thomson Snell & Passmore can explain the GDPR requirements around the new data subject rights that are most likely to affect your business operations.
7. Identify whether you are required to appoint a Data Protection Officer and, if so, whom you might appoint (the required qualifications are quite high).
We can explain the GDPR requirements around DPOs as they apply to you and suggesting a list of possible candidates within your organisation or an outsourced provider as appropriate.
8. Taking certain key steps to mitigate against the potential impact of an ICO audit.
Our lawyers can suggest key measures relevant to your business that could be taken to reduce the impact of an ICO audit should it occur.
If you would like to further discuss any of the information detailed above, please contact Stuart Smith, from our Corporate & Commercial department on 01892 701266 or at firstname.lastname@example.org.