Procurement 8 June 2017

Ten steps to prepare your business for General Data Protection Regulation changes

General Data Protection Regulation
With just a year to go before General Data Protection Regulation changes, business owners have been urged to prepare for compliance now
Here, Tom Torkar, partner at law firm Michelmores, takes a look how small UK businesses can get ready for changes to General Data Protection Regulation, offering advice to owners unsure of its implications.

The changes being introduced in the EU General Data Protection Regulation 2016 (GDPR) will be the biggest shake-up in data protection and privacy law in over two decades. Coming into force on 25 May 2018, the regulations are the culmination of four years of lobbying and debate in Europe.

The GDPR updates the Data Protection Act 1998. It introduces concepts and requirements that better reflect the data processing that is carried out in an increasingly digital world.

More data is being collected than ever before and individuals are increasingly conscious of privacy issues. GDPR puts best practice on a statutory footing.

In light of this, the GDPR requires organisations to be more transparent; providing individuals with greater rights to hold organisations to account.

What’s more, the fines that will be imposed for breaches of the GDPR are significantly higher than before, rising from a maximum of £500, 000 to 20m or four per cent of global group turnover (whichever is higher).

The triggering of Article 50 and Brexit does not mean that the GDPR will not apply.

The GDPR will come into force well before the UK leaves the EU and it is likely that organisations will have to comply with similar rules after the UK leaves, given that the UK will still wish to trade with EU member states which will still be subject to the GDPR.

So, what practical steps should you be taking now as you work towards compliance?

  1. Review and document relevant policies for GDPR compliance. This includes your privacy policy, privacy notices, data protection policy, data sharing policy and information security policy.
  1. Review and document the mechanisms that you use to collect consent from data subjects.
  1. Ensure that the GDPR is on your Board or management team’s agenda and that sufficient resources and budget are allocated to GDPR compliance.
  1. Create a breach notification procedure to ensure that appropriate breaches are identified, considered and notified to the ICO within 72 hours.
  1. Deliver GDPR training for your employees. This should be carried out before May 2018.
  1. Review your existing contracts and make any necessary amendments.
  1. Ensure that personal data is processed in easily well-structured, secure and searchable databases so that you can handle data subject requests efficiently. Be aware that data subjects have enhanced rights under the GDPR.
  1. Appoint a data protection officer if required or, if not required, appoint someone in the company to deal with data protection issues.
  1. Identify if you transfer personal data outside the UK and, if so, review these arrangements to ensure you are GDPR-compliant.
  1. Schedule regular GDPR review meetings throughout 2017 and 2018 to ensure that you are on track with your GDPR compliance plan.


Business Advice