The UK Data Protection Bill 2017 was published in the last few days. While it makes it clear that GDPR will be implemented by the UK despite Brexit, it seems to have done nothing to allay fears about the complex application of GDPR.
Is it a sign of things to come here? The fear mongering here continues! The Irish Independent recently reported that:
According to the results of a recent study commissioned by DataSolutions, 23pc of businesses here said they would be forced to close if found to be non compliant and subject to these financial penalties.
While this may be the case, in my view this is only going to happen if those businesses have serious compliance issues anyway. Most businesses I have spoken to are not aware of their obligations under the current data protection scheme let alone worrying about GDPR.
It's really important that the average business does not get bogged down in trying to interpret every small nuance of GDPR. It's application has not been tested and it will take time to fully appreciate how the Commissioner will interpret and apply the GDPR.
However, what is very clear is that doing nothing is the worst approach. There are some basic steps that your organisation needs to take to start your GDPR journey. I must stress that word 'journey'. GDPR is on ongoing journey. So even if you are not compliant by 25 May 2018 you still need to keep progressing your compliance journey.
Start simple. Make your staff aware of their obligations. Then look at the personal data you hold, why, and where it comes from. Document this 'data life cycle' From there you can build out on other items such as the basis on which it can be processed, how long it is retained for and the security that needs to be applied to it.
You can then start to look at supplier and third party contracts and put a data retention schedule in place. Throughout this you can document any potential areas of concern and document your plan to mitigate those risks.
A data access request process and a breach notification procedure will also take you far in terms of compliance. A lot can be achieved by simply getting started.
If you need advice on data protection and GDPR compliance please contact a member of our Employment Law & Data Protection Team:
Disclaimer:This article is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Leman Solicitors for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.
Much of the text aims to implement the European Union’s General Data Protection Regulation, which comes into force in May 2018; confirming for the Nth time that businesses can’t rely on the idea that Brexit will get them out of complying. As Neil Brown, tech lawyer at decoded:Legal, put it: “The message seems clear: irrespective of Brexit, the GDPR is here to stay, so you may as well get on and implement it, and do it well.” On top of this, there are some added extras in the UK’s bill - such as new criminal offences related to dodgy data dealings - as well as some exemptions and derogations, which are to be expected when a member state implements an EU regulation.