This month, the GDPR celebrated its one-year anniversary. Just over a year
ago, the GDPR came into effect, bringing with it the biggest change to data
protection law in two decades. Some were ready ahead of time, others were
unprepared, and many are still in the process of getting to grips with the
GDPR and building best practice and compliance into their businesses.
Few areas of law stand still for long, and data protection is one which is
constantly moving. It may be a very long time before we see an overhaul as
significant as the GDPR again, but that does not mean that compliance
measures put in place last year can simply be left alone.
Whether you’re still getting your data protection ducks in a row, or
whether you were already in shape by May last year, now is the perfect time
to review your data protection framework, evaluating its effectiveness, and
looking for improvements.
New Data Protection Impact Assessment Guidance Notes
If you are looking to use personal data in a new project, perhaps in a new
way or utilizing new technologies, a Data Protection Impact Assessment is
often advisable. In some cases, it is not only advisable, but a requirement
of the GDPR.
A Data Protection Impact Assessment or “DPIA” is designed to make you
consider the appropriateness and proportionality of your proposed personal
data usage, and to carefully evaluate the likelihood and severity of risks
and suitable solutions to those risks.
DPIAs can be complex and somewhat overwhelming. Our new DPIA Guidance Notes
have therefore been created to help by providing a guide to the essentials,
including what exactly a DPIA is, when one is required, the important
things to cover when carrying one out, and how to follow-up on one.
New Data Breach Guidance Notes
With any luck, your DPIA will ensure that you don’t suffer a data breach.
Nevertheless, even with the most careful planning and the best technical
and organizational measures in place to protect personal data, the worst
can happen. Personal data can be unlawfully destroyed, lost, altered,
disclosed, or accessed. Whether this has been caused accidentally or
deliberately, quick and decisive action is essential.
You should quickly take steps to mitigate the effects of a breach, and must
establish whether it needs to be reported to the ICO in short order.
Particularly serious breaches that pose high risks to individuals must also
be reported to those individuals whose data is involved. Not only that, but
data breaches must also be taken as a learning experience, ensuring that
whatever flaws have been highlighted as contributing to a breach are fixed
to prevent a repeat performance.
Our new Data Breach Guidance Notes will help you to understand what a data
breach is and how to recognize one, how to deal with it, and how to comply
with your all-important obligations under the GDPR.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific