The EU General Data Protection Regulation (GDPR)

Complying with the GDPR

The EU General Data Protection Regulation, more often known as the GDPR, came into effect on 25 May 2018. In the lead-up to the GDPR, and in the months following, there was much GDPR-related publicity, focusing in particular on the substantial potential fines for non-compliance.

The reality is that not all organisations face fines reaching into the millions and the Information Commissioner has made it quite clear that the ICO is not looking to penalise anyone that makes the slightest transgression. What is important, particularly during this crucial period while best practice is still building up, is that organisations take data protection seriously and implement those steps most suited to their collection and use of personal data.

Especially where small businesses are concerned, the ICO is likely to take a patient and helpful approach to those who are trying their best, even if there are imperfections. Inaction, however, is not likely to be viewed so favourably. To a degree, everyone is on a learning curve, and getting started right is the thing that matters most.

So, what practical steps should your business be taking in order to comply? Provided below are links to a variety of documents and detailed information to help you comply with the UK’s data protection regime.

Review and Understand your Current Data Protection Position

The starting point is to complete a data protection audit of your business. First, read the GDPR Data Protection Audit Guidance Notes and then complete the GDPR Data Protection Audit itself:

Put ‘Privacy by Design’ Front and Centre

If you are using personal data in a new project, or perhaps using existing personal data for a new purpose, it is important to ensure that GDPR compliance is built in from the beginning. In some cases, a Data Protection Impact Assessment (DPIA) also known as a ‘privacy impact assessment’ is required by the ICO. Even if it is not required, a DPIA can be a useful tool in the planning stages of a project. Apply our template:

Make Sure your Key Policies are Up-to-Date and GDPR-Compatible

The GDPR puts a lot of emphasis on improving the rights of data subjects. Where any personal data is collected and processed, you must tell data subjects what you are collecting, what you are going to do with it, and why. Use our GDPR Data Protection Policy to set out in detail the measures and procedures in place within your business for compliance with the GDPR. If appropriate, complement this with an IT Security Policy and/or a Data Security Policy. Furthermore, to ensure that personal data is not retained for any longer than necessary and is deleted or otherwise disposed of correctly, our Data Retention Policy is an important step for compliance:

In an ideal world, nothing would go wrong; but this isn’t an ideal world. From a data protection perspective, it is vital to have a procedure in place for dealing with data breaches. Our Data Breach Policy should be used to set out the measures and procedures in place to deal with breaches, those breaches should be recorded in a Data Breach Register, and for ease of reporting data breaches within your business, try our Data Breach Form:

For those collecting personal data through websites, our GDPR-compliant Website Privacy Policy templates are essential. Many websites use cookies and similar technologies as well. These remain governed by the Privacy and Electronic Communications Regulations 2003 (PECR) for the moment; however, a new ‘e-Privacy Regulation’ is expected soon – most likely in 2019. The standard for ‘consent’, however, is now derived from the GDPR, meaning that the GDPR and the PECR apply to cookies and similar technologies. A number of our Privacy Policy templates include sections on cookies, but a separate Cookie Policy template is also available for those that want to keep things separate for easier navigation by users:

Not all personal data is collected through a website. It is nevertheless important to keep data subjects informed. Our GDPR Privacy Notice is designed for this and follows the same structure as our Website Privacy Policies, providing much the same information, but for ‘offline’ situations:

Respond Promptly to Data Subject Access Requests

Key among data subjects’ rights is the ‘right of access’. This enables people to confirm that you are using their personal data, to obtain a copy of that personal data, and (essentially) to find out what you are doing with it (note that this information should already be provided in your Privacy Policy or Privacy Notice). To make it easy for individuals to make a data subject access request, we suggest making our Subject Access Request Form readily available. In addition to this form, we also offer a set of template letters for responding quickly and easily to data subjects in a variety of different scenarios:

Transferring Data to Third Parties

If you are using a third-party data processor to process personal data (e.g. of your customers or staff) on behalf of your business, an agreement should be in place which clearly sets out your respective data protection obligations. Such provisions can be built in to another contract (e.g. a service agreement) or they can be contained within a dedicated agreement such as our Data Processing Agreements:

Alternatively, if you are sharing personal data on a controller-to-controller basis, try our Data Sharing Agreement:

All the above documents and guidance can be found here and are available as part of our Business Documents Folder. Just £35+VAT will provide you with one year’s unlimited access to all of our data protection documents plus much, much more.

GDPR Compatible Employment Documents

If you are an employer, you will collect, hold, and process personal data about your employees. Our Employee Data Protection Policy (GDPR Compatible) provides detailed coverage of the rights of data subjects under the GDPR, and the obligations of your business as ‘data controller’.

Keeping your employees informed about your collection and use of their personal data is vital. Our Privacy Notice for Employees and Contractors and our Interviewee Privacy Notice are essential starting points here.

The GDPR allows individuals to access information from organisations that process their personal data by means of a subject access request. Our Employee’s Subject Access Request Form can be used for this purpose.

The following GDPR compatible documents can be found in our Employment Document Folder, also available for just £35+VAT for one year’s unlimited access: