The EU General Data Protection Regulation, more often known as the GDPR,
came into effect on 25 May 2018. In the lead-up to the GDPR, and in the
months following, there was much GDPR-related publicity, focusing in
particular on the substantial potential fines for non-compliance.
The reality is that not all organisations face fines reaching into the
millions and the Information Commissioner has made it quite clear that the
ICO is not looking to penalise anyone that makes the slightest
transgression. What is important, particularly during this crucial period
while best practice is still building up, is that organisations take data
protection seriously and implement those steps most suited to their
collection and use of personal data.
Especially where small businesses are concerned, the ICO is likely to take
a patient and helpful approach to those who are trying their best, even if
there are imperfections. Inaction, however, is not likely to be viewed so
favourably. To a degree, everyone is on a learning curve, and getting
started right is the thing that matters most.
So, what practical steps should your business be taking in order to comply?
Provided below are links to a variety of documents and detailed information
to help you comply with the UK’s data protection regime.
Review and Understand your Current Data Protection Position
The starting point is to complete a data protection audit of your business.
First, read the GDPR Data Protection Audit Guidance Notes and then complete
the GDPR Data Protection Audit itself:
Put ‘Privacy by Design’ Front and Centre
If you are using personal data in a new project, or perhaps using existing
personal data for a new purpose, it is important to ensure that GDPR
compliance is built in from the beginning. In some cases, a Data Protection
Impact Assessment (DPIA) also known as a ‘privacy impact assessment’ is
required by the ICO. Even if it is not required, a DPIA can be a useful
tool in the planning stages of a project. Apply our template:
Make Sure your Key Policies are Up-to-Date and GDPR-Compatible
The GDPR puts a lot of emphasis on improving the rights of data subjects.
Where any personal data is collected and processed, you must tell data
subjects what you are collecting, what you are going to do with it, and
why. Use our GDPR Data Protection Policy to set out in detail the measures
and procedures in place within your business for compliance with the GDPR.
If appropriate, complement this with an IT Security Policy and/or a Data
Security Policy. Furthermore, to ensure that personal data is not retained
for any longer than necessary and is deleted or otherwise disposed of
correctly, our Data Retention Policy is an important step for compliance:
In an ideal world, nothing would go wrong; but this isn’t an ideal world.
From a data protection perspective, it is vital to have a procedure in
place for dealing with data breaches. Our Data Breach Policy should be used
to set out the measures and procedures in place to deal with breaches,
those breaches should be recorded in a Data Breach Register, and for ease
of reporting data breaches within your business, try our Data Breach Form:
For those collecting personal data through websites, our GDPR-compliant
and similar technologies as well. These remain governed by the Privacy and
Electronic Communications Regulations 2003 (PECR) for the moment; however,
a new ‘e-Privacy Regulation’ is expected soon – most likely in 2019. The
standard for ‘consent’, however, is now derived from the GDPR, meaning that
the GDPR and the PECR apply to cookies and similar technologies. A number
separate for easier navigation by users:
Not all personal data is collected through a website. It is nevertheless
important to keep data subjects informed. Our GDPR Privacy Notice is
designed for this and follows the same structure as our Website Privacy
Policies, providing much the same information, but for ‘offline’
Respond Promptly to Data Subject Access Requests
Key among data subjects’ rights is the ‘right of access’. This enables
people to confirm that you are using their personal data, to obtain a copy
of that personal data, and (essentially) to find out what you are doing
with it (note that this information should already be provided in your
a data subject access request, we suggest making our Subject Access Request
Form readily available. In addition to this form, we also offer a set of
template letters for responding quickly and easily to data subjects in a
variety of different scenarios:
Transferring Data to Third Parties
If you are using a third-party data processor to process personal data
(e.g. of your customers or staff) on behalf of your business, an agreement
should be in place which clearly sets out your respective data protection
obligations. Such provisions can be built in to another contract (e.g. a
service agreement) or they can be contained within a dedicated agreement
such as our Data Processing Agreements:
Alternatively, if you are sharing personal data on a
controller-to-controller basis, try our Data Sharing Agreement:
All the above documents and guidance can be found
and are available as part of our Business Documents Folder. Just £35+VAT
will provide you with one year’s unlimited access to all of our data
protection documents plus much, much more.
GDPR Compatible Employment Documents
If you are an employer, you will collect, hold, and process personal data
about your employees. Our Employee Data Protection Policy (GDPR Compatible)
provides detailed coverage of the rights of data subjects under the GDPR,
and the obligations of your business as ‘data controller’.
Keeping your employees informed about your collection and use of their
personal data is vital. Our Privacy Notice for Employees and Contractors
and our Interviewee Privacy Notice are essential starting points here.
The GDPR allows individuals to access information from organisations that
process their personal data by means of a subject access request. Our
Employee’s Subject Access Request Form can be used for this purpose.
The following GDPR compatible documents can be found in our Employment
Document Folder, also available for just £35+VAT for one year’s unlimited