That's good news, but it won't be the case forever. Andy thinks the first fines and enforcement are expected this year.
He continues:" In our experience, the greatest challenges for business have come instead from the supply chain and ask contractors or suppliers to demonstrate their compliance by providing specific documents or assurances on how the company protects personal data.
"Many tender documents now include a section on GDPR compliance, and much of our business is generated from companies that require professional help to create such documents and respond to the bids.
" This alone is a breach of the transparency principle in GDPR. You must tell me which personal data you use internally and how it is used. "
Many also have fundamental errors that cite the Data Protection Act, 1998, which is now interrupted or misrepresented about registered rights.
Some even charge a fee for data disclosure or require 40 days to respond to all things as the GDPR legislation in 2018 attempted to get rid of.
This same law dictates that privacy policies should be accurate for registered rights, reviewed annually, and details of the last update.
But it is not just about complying with Andy says it also provides good customer service: "A site is a window for many organizations and the quality of privacy documentation within it tells a lot about your GDPR preparations internally.
"If you cannot demonstrate the absolute reasons, how can a customer be sure that you are able to provide adequate protection to my personal data if I engage and how good are you in your business in general ? "
GDPR is not optional
The data protection legislation is not optional, it is the law, and it has already existed for decades. The main difference with GDPR for previous versions is the principle of responsibility.
Some facts based on activity across the EU over the first 12 months:
- In a report published in February, there have been over 10,000 breakthroughs reported to the ICO – Information Commissioners Office. This was the third highest in Europe, behind only the Netherlands (15,400) and Germany (12,600). (DLA Piper).
- 91 fines were issued throughout Europe. The largest to date went to Google, which was fined 44 million. £ for not obtaining appropriate consent for advertising and lack of transparency regarding the use of data for advertising (DLA Piper). No fines have been issued in the UK, but it is believed that the first monetary sanctions are imminent.
- In a recent speech to the IAPP, the ICO advised that they focus their investigations on errors in the principles of transparency and fairness of treatment – this refers directly to the availability of privacy policies and their accuracy by portraying the activities of a business.
- In the month after May 25, 2018, ICO gained a sharp increase in data protection complaints – 6,281, more than twice as many as in the same period in 2017. (IAPP)
- 375,000 organizations in the EU are known to have registered Data Protection Officers – more than 32,000 of these are UK companies. (IAPP)
So what should Bedford companies do to make sure they are and remain GDPR prepared?
- Register with the Information Commissioners Office? (ICO). This is a legal requirement for most organizations, with fines imposed for non-registration.
- Complete a complete review of all personal data held in the department. Where did it come from, who you share it with, and how long do you keep it?
- Consider what legal basis you have for processing this data – and document it in each case. Remember that there are six legal bases and consent is only one. You can have several legal bases.
- Review your vendor contracts as many will need privacy-specific additions. As a data controller you are now responsible for your suppliers' data processing activities (data processors).
- Your policies should review and updated every year and evolve as the business grows and how your use of personal data changes.
- Staff training should be scheduled regularly to ensure a culture of data protection is maintained across the enterprise – especially with new starters.
- Do you need a DPO? Under GDPR, a DPO is mandatory under certain circumstances. Any DPO you designate must be appropriate for the role and there should be no conflict of interest. For example, a senior director cannot take on the role. The DPO should be in place to protect the data subjects' interests and not business interests.
- Do you have the necessary processes to identify, report, handle and resolve any breaches of personal information? You now have 72 hours to investigate and potentially report a breach of ICO from the moment it is discovered.
- GDPR and the Data Protection Act, 2018, outline your obligations to protect the rights and freedoms of those whose personal data you collect and hold. It also requires that you have the necessary processes in place to respond to any requests that individuals send to their personal data.
A big question Andy says he very much surrounds the source of the GDPR. It is an EU law, so will it mean that we do not have to abide when we leave Europe?
Andy says it's not that simple: "Brexit makes no difference. The Data Protection Act, 2018, will still apply and it does not reflect any minor changes for national security reasons, reflecting the requirements of GDPR."