- What is the General Data Protection Regulation (GDPR)?
- What does GDPR compliance mean? Is their a definition of GDPR compliance?
- The UK plans to leave the EU. Do UK organisations have to comply with the GDPR?
- Why should I bother implementing GDPR?
- What should I expect if the Supervisory Authority decides to investigate my company?
- How is GDPR compliance monitored and enforced?
- What do I need to do to comply with GDPR?
- My organisation cannot afford a big budget implementation, what can we do?
- How should I approach GDPR compliance?
- If the UK crashes out of the EU, what else do I have to do with respect to the GDPR?
- What is the minimum I need to do to get GDPR compliant?
- Are there any business areas that do not need to comply with the GDPR?
What is the General Data Protection Regulation (GDPR)?
The GDPR is a data protection regulation that came into force on May 25, 2018
The GDPR is a data protection regulation that protects fundamental rights and freedoms of natural persons and is focused on their right to the protection of personal data.
It should be considered a value-adding product that demonstrates your company's respect for personal data. GDPR presents significant competitive advantage opportunities. It shows customers that your organisation respects their right to privacy and that their data is safe in your hands.
The implementation deadline was on or before Friday the 25th of May 2018. This is the day when the regulation came into force.
What does GDPR compliance mean? Is there a definition of GDPR compliance?
An end to the confusion about what GDPR compliance means
We frequently get asked "what does GDPR compliance mean?". We have the answer, but we cannot claim ownership because it came from the UK's Supervisory Authority, the Information Commissioner's Office (ICO) at our request. Here is the definition:
To demonstrate GDPR compliance, an organisation must ...
- Show respect for the 6 GDPR principles
- Have implemented appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this regulation (the GDPR).
If you have implemented a GDPR control framework based on the 6 principles and you are now operating within that framework, you are compliant. This does not mean that every single piece of personal data held by your organisation has been remediated. It does mean that you now address GDPR and PECR data protection using a compliant framework.
The UK Information Commissioner has already stated that GDPR is a journey, possibly without end, so you are allowed to and are expected to continually address GDPR issues as long as you operate within a GDPR and PECR compliant framework.
The UK plans to leave the EU. Do UK organisations have to comply with the GDPR?
Brexit has zero impact on GDPR implementation requirements
UK organisations have to comply with the GDPR. Follow this link to see the Information Commissioner's Office strategy statement. Part one: Challenges and priorities address the issue of GDPR and Brexit.
In 2017, the Secretary of State, Karen Bradley, and the UK Minister responsible for the digital economy, Matthew Hancock, made several statements to Parliament declaring the UK Government's commitment to comprehensively implementing GDPR, as planned, in 2018."
Why should I bother implementing GDPR?
GDPR compliance is good for business!
It is a regulation that is enforced in all countries where it is a legal requirement
The GDPR applies to the processing of personal data by organisations based in the EEA regardless of whether or not processing takes place in the EEA.
It also applies to organisations that are not based in the EEA but offer goods, services or monitoring that involves processing the personal data of individuals who are in the EEA.
Enhance your image and trust
Some of your competitors will be taking action to deploy the GDPR. If you chose not to, they will have an advantage over you. They will be able to tell their customers, suppliers, etc. “you can trust us with your personal data”.
The GDPR will introduce certification ratings in the future. Not being able to show a rating will probably have negative financial consequences on your business.
By implementing the GDPR in your organisation you show that your organisation respects personal data and people can trust what you do with their personal data.
Avoid the financial and reputational consequences
Financial penalties can exceed 20 million Euros. In addition, individuals may be awarded damages should the outcome of a complaint be determined in a court of law. Directors may also be held to account and may also face fines and the possibility of imprisonment.
These penalties and other actions will be public domain knowledge.
Non-compliance is always an option but it is not recommended
Organisations will or will not comply with GDPR. The choice is down to the Directors and their risk appetite.
Some organisations are willing to take the risk that it will never happen to them.
If your organisation is willing to risk news headlines, negativity on social networks, fines of 20 million Euros or more, prohibition of processing, criminal charges against Directors and court awards for damages, don’t do anything.
What should I expect if the Supervisory Authority decides to investigate my company?
Supervisory Authorities are public bodies so actions are public record
Here is what a Supervisory Authority can do
- Request any information it requires for the performance of its tasks;
- Carry out data protection audits on your processing;
- Review your certifications;
- Get access to all the personal data and all information you hold that it needs to perform its tasks;
- Get access to your premises and the premises of any of your outsourced processing providers including data processing equipment.
Here are the sanctions and penalties the Supervisory Authority can impose
- Issue a warning that intended processing is likely to result in infringement of the GDPR
- Issue a reprimand where processing operations have infringed provisions of the GDPR;
- Order time-constrained and monitored remediation work to take place that brings processing operations into compliance;
- Order the communication of a personal data breach to the data subject;
- Impose a temporary or definitive processing limitation that may include a ban on processing;
- Order the rectification, restriction or erasure of data;
- Order a certification body to revoke or not to issue a certificate;
- Impose administrative fines;
- Order the suspension of data flows to a recipient in a third country or to an international organisation;
- Recommend civil or criminal legal action that may result in damage awards and imprisonment.
How is GDPR compliance monitored and enforced?
Based on volume, your main risk comes from individuals
The UK and each EU country have a Supervisory Authority. In the UK, the Supervisory Authority is the Information Commissioner’s Office (ICO). Supervisory Authorities have the right to perform spot checks and make requests for evidence of compliance. Failure to provide evidence is a serious infraction.
Every individual for which an organisation holds personal data has the right to lodge a complaint with the Supervisory Authority. Depending on the severity of the complaint, the Supervisory Authority may launch an investigation. Individuals comprise everyone whose records are held. These could be customers, students, employees, contacts, suppliers, consultants, external experts, etc. Every individual in your records is a potential source of complaint.
The risk of a Supervisory Authority performing a spot check or requesting information is low. The risk of a disgruntled individual lodging a complaint with the Supervisory Authority is much higher purely on the basis of volume.
What do I need to do to comply with GDPR?
Understand how your organisation governs and processes personal data
Despite all the rhetoric and scaremongering, GDPR breaks down into a few, easy to understand key components:
- A personal data governance structure
- A set of personal data protection policies
- A staff member to manage and operate the governance, and manage the Supervisory Authority relationship (a Data Protection Officer or similar if you don’t need to appoint one)
- A training and awareness programme
- A process to facilitate individuals data privacy rights
- Records management
- Internal oversight and regulatory change management
- Data sharing and transfer management
- Third party information sharing contract management
- Personal data risk assessment embedded in transformation and change
- Personal data security and access management
- Personal data breach detection measures and notification processing
A current state assessment against these components highlights gaps which are then filled as needed.
There is not magic formula. All that is needed is a structured, methodical and pragmatic approach.
“The devil is in the detail” you may say. This is true, but if you have a structure, the detail is easier to allocate and address. With many small and well-chosen bites, the elephant in the room will disappear.
My organisation cannot afford a big budget implementation, what can we do?
Limited budget? Implement your own GDPR
We offer services to meet all budgets starting from an off-the shelf template based solution with instructions through to onsite delivery teams.
We offer practical, pragmatic and adaptable solutions align with your possibilities.
Our “Do It Yourself” service includes:
- a one week assessment and training programme
- an implementation guide
- templates to help you establish governance, a secure operational structure and regulatory documentation artefacts
How should I approach GDPR compliance?
Think of GDPR as a customer experience enhancing product
Forget the scary stuff and look at the GDPR as a customer confidence builder.
Implementing GDPR is something that sets you apart from competitors.
It is a show of respect for personal data, something very positive.
The GDPR is a compliance regulation but it is also a blueprint for a free, value-added product that can only benefit your organisation.
Approach it with a positive attitude and you will succeed.
We have a pragmatic approach that you can follow. Our approach has been used by our clients and has helped them successfully implement a GDPR compliance structure.
Our approach comprises three simple steps:
If the UK crashes out of the EU, what else do I have to do with respect to the GDPR?
Important if you deal with EU residents and citizens
This depends whether you trade with the EU.
If your organisation has no relationships whatsoever with EU citizens, you will not be impacted.
If your organisation deals with EU citizens, you will have to establish a representative in an EU country.
If you are already planning on setting up a presence in the EU, that presence will need to be set up as your representative before March 29, 2019.
If you are not in a position to do this, contact us because we operate in the UK and the EU. We have the facilities to become your representatives.
What is the minimum I need to do to get GDPR compliant?
Get in touch for more advice and implementation resources
The delivery of GDPR should be practical and pragmatic. The GDPR refers to the implementation state as “appropriate” and “proportionate”.
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
- Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
Implementation basics including:
- A documented understanding of your processing
- A protective outer layer manifested in data sharing contracts and agreements showing accountability, responsibility, liability and roles
- An inner governance structure comprising policies, management, controls, standards and procedures
- An oversight function to measure, report, quality assure and interact with the supervisory authority
- Training for all staff members
Are there any business areas that do not need to comply with the GDPR?
Only a select few areas are exempt
The only areas that are not subject to the GDPR are the processing of personal data:
- by an individual in the course of a purely personal or household activity;
- in the course of an activity which falls outside the scope of UK and EU law;
- for specific use in UK and EU foreign policy; and
- by competent UK and EU authorities for crime prevention and the prevention of threats to public security.