GDPR: Don’t rush and get it wrong
PUBLISHED: 14:35 03 April 2018
When it comes to ensuring your business is compliant with General Data Protection Regulation take time and care, and get it right urges William Stebbings of Sherbornes Solicitors
GDPR has taken on some kind of mystical unfathomable status that it does not deserve. It’s clear why so many small business owners are worried about it. It cannot be codified into a simple list of numbered rules and many advisors are frightening businesses in an attempt to win business.
However, it does not deserve the status of number 1 worrying risk for a business and it can be solved fairly easily with a simple, methodical approach. The key message is not to rush and get it wrong.
The Information Commissioner has stated very clearly that she is growing tired of the scaremongering and that, as long as you are compliant with the old regime, and are genuinely working towards complying with the new, she will not penalise any business during the first 12 months. So, slow down and get it right, as this leniency won’t last forever.
The key to this is to remember that it is a process, a journey, rather than a perfect destination. So the following pointers toward compliance should be reassuring.
• Start working toward compliance now, if you haven’t started already. It will take some time.
• Document each step you take, so that if you do make a mistake in the future, you can show that it is not because you have failed to take GDPR seriously.
• Conduct a Data Audit. Get your senior managers involved and document all forms of personal data that you hold. This could be email addresses, CCTV footage, names and addresses, payroll information. List it all, no matter how trivial.
• Once the audit is complete, identify for each class of information, whether and how you process it.
• Identify for each type that you process, the reason that you process it. There are 6 permitted reasons. It may be hard to change the reason at a later date, so it’s best to get this right. The 6 reasons are:
1. Consent of the individual
2. Contractual necessity
3. Compliance with a legal obligation
4. Protection of an individual’s vital interests
5. Performance of a public task
6. Legitimate interest
• Perform a risk assessment (very similar to a health and safety risk assessment) to identify what risks there are to the data, and how you can eliminate or minimise these risks.
• Review your contracts, policies and procedures to include the measures that reduce or illuminate your risk.
• Train key staff on the changes and their obligations.
It’s little more than a route map. There are numerous professional firms out there willing to help you with the process, but don’t just buy a set of policies that are described as GDPR compliant, because without the above process, they can’t necessarily be compliant and useable. Take time and care, and get it right.
William Stebbings is a Senior Associate Solicitor at business law firm Sherbornes Solicitors. He has practised commercial law for 38 years and has a special interest in data protection, Intellectual property and competition law.