The UK GDPR has been in force since 2018 and failure to comply can land businesses with substantial fines and reputational problems. It’s not just large companies that need to understand and comply with their data protection obligations, but also small businesses, charities, and even sole traders.
What data do you hold?
The first step to ensuring compliance involves working out what data you hold, where it came from, where it is stored, how it is accessed and what internal policies (if any) are in place to process and protect it. This type of review is likely to be time consuming but is necessary.
Some of the key principles of the UK GDPR are that you don’t retain data longer than you need to, and this data is processed in a fair and transparent manner. If you are clear about the above requirements for compliance, you should consider the following checklist:
- We know what personal data we hold and why we need it.
- We carefully consider and can justify how long we keep personal data.
- We have a policy with standard retention periods where possible, in line with documentation obligations.
- We regularly review our information and erase or anonymise personal data when we no longer need it.
- We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’.
- We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.
Three key areas affected by rules under the UK GDPR are:
- HR or personnel - How do you gather and store information about your employees? Do your staff have the right training to understand what they should be doing to keep your business compliant under the new rules?
- marketing - Do you have the right type of consent from your customers to send out newsletters, adverts or deals?
- customers and contracts - How do you gather and store information about your customers and business contacts? Are your terms and conditions fit for purpose?
Issues to consider
The UK GDPR is detailed and technical which can make it difficult to navigate. Our experienced team can guide you through your duties and obligations under the regime. We can advise you on:
- the types of data involved, such as personal data and sensitive personal data;
- whether you are a data controller or data processor, and what that means for your business;
- how to deal with requests (‘subject access requests’) from individuals about the data you hold;
- whether you should appoint a data protection officer; and
- how to handle a data protection breach.
Our lawyers can do a “health check” of your policies and procedures, and help you meet your obligations under the UK GDPR. We’ll work with you to find solutions that are practical and convenient for an organisation of your size.
