Data Protection and the GDPR

Data Protection and the GDPR Consultancy

The General Data Protection Regulation (GDPR) 2016/679 is aimed at unifying the regulation surrounding data protection for all individuals whose personal information is processed within the European Union (EU) and the European Economic Area (EEA). The GDPR, which came into effect on 25 May, is now recognised as law across the EU. In local UK law, the Data Protection Act 2018 (DPA 2018) came into effect on 23 May 2018 and works alongside the principles laid out in the GDPR.

The EU's data protection laws have long been regarded as a gold standard all over the world. Over the last 25 years, case law and pan-EU interpretation outpaced the original directive and new technology has transformed our lives in ways nobody could have imagined so a review of the rules was needed.

In 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest achievements in recent years. It replaced the 1995 Data Protection Directive which was adopted at a time when the Internet was in its infancy.

What Should You Be Doing?

The amount of time and effort involved in complying with the GDPR and the DPA 2018 will very much depend on how closely your data protection practices complied with the original 1998 version of the DPA. The UK’s Information Commissioner’s Office (ICO) has publicly stated that if an organisation was compliant with the DPA 1998, it would not require a significant effort to meet the additional requirements of the new Regulation. Naturally, the opposite is also true. The key message for all organisations is to start any compliance programme as quickly as possible and to adopt a risk-based approach. With the GDPR granting powers for EU data protection authorities (ICO in the UK) to issue fines of up to 4% of global annual turnover, delaying any compliance programme represents a considerable risk to your organisation.

Couple this with the increase in concerns relating to cyber security and in particular the cyber risk associated with personal data, and you are facing a ‘perfect storm’.

The route to compliance for the unsuspecting is littered with potential pitfalls across all aspects of business processes involving personal data. It will take time to fully understand all the implications of the new GDPR and to embed the necessary requirements to be compliant. The first step in preparing your organisation to comply with the GDPR is to understand exactly where data comes into your organisation, its journey through your organisation, where it resides and who you share it with. URM’s 1 day GDPR Data Flow Workshop will help you address exactly this and assist you in determining the key touch points in your organisation for personal data.

Having determined the scope of the operational activity in your organisation that involves the processing, storage and sharing of personal identifiable information, the next step will be to determine whether your current approach to data protection addresses the requirements of the GDPR and DPA 2018 or if it will need to be further developed or augmented. URM’s GDPR Gap Analysis will help you determine the specific activities that your organisation will need to undertake to achieve compliance with the GDPR and DPA 2018 and assist you in developing a compliance plan/road map to guide this journey.

For organisations that have already established a compliance roadmap, URM’s GDPR Compliance Implementation Plan/Roadmap Review will ensure that the key requirements of the GDPR are being addressed, including:

  • Gaining explicit consent
  • Providing the right to be forgotten
  • Enabling data portability
  • Meeting breach notification requirements
  • Retaining records for appropriate time period
  • Maintaining access control
  • Maintaining accuracy and integrity of PII
  • Dealing with subject access request
  • Conducting risk / privacy impact assessment
  • Developing privacy notices
  • Developing and maintaining incident reporting and management mechanisms
  • Maintenance of policies, procedures and data protection notices

A key step in any data protection compliance roadmap is ensuring employees/ users are fully aware of their roles and responsibilities regarding data protection. Having invested time and resources to develop a GDPR and DPA 2018 compliant data protection approach, many organisations fail to address this critical step. URM’s GDPR Awareness Training support can ensure your organisation employees/ users are fully equipped to play their role in ensuring your data protection compliance is maintained.

It is anticipated that one of the most effective ways of demonstrating the effectiveness of your personal information management system (or how well you protect personal data) to clients and stakeholders is by certifying to BS 10012:2017. See BS 10012:2017 for more information and how URM can assist you achieve certification.

Get Ahead of The Curve!

URM’s fully qualified team of consultants has a deep knowledge of data protection legislation, not just of the legalities and the security principle via our ISO 27001 services, but around all of the GDPR’s principles, gained through working with our clients on practical business implementation over the last 15 years. We understand the challenges you face and can save you extensive time considering the often complex issues, by providing support and knowledge transfer through all of our data protection consultancy services. These services can be tailored to your needs, whether it be an adequacy assessment (understanding your current position), a more detailed audit to provide assurance that the measures you have in place are adequate and reliable, or providing you with a ‘virtual’ data protection officer (DPO) service.

With our Virtual DPO service, you have someone to oversee your data protection approach and a specialist who is available whenever you need them, providing pragmatic expert advice, guidance and support. Furthermore, with URM it is not just one expert you have access to, but a team of specialists each with their own area of specialism e.g. dealing with the ICO, advising on subject access requests etc. Each of our Virtual DPO service contracts is customised to your precise requirements, although will typically include the following components:

  • On-site days - The DPO will attend your site at a frequency determined by you (e.g. weekly, monthly, quarterly), where they will help drive forward your data protection compliance programme, conduct training and awareness sessions, review documents (e.g. privacy notices) and provide advice on conducting data protection impact assessments on new systems or services (mandatory requirement within the new Regulation)
  • Ad hoc advice and guidance - A vital and highly valued component of URM’s Virtual DPO Service is the prompt and practical advice and guidance you can gain in areas such as fulfilling data subject access requests, dealing with data breaches and responding to the ICO following a formal data subject complaint, either via phone or email
  • Annual DP audits - In order to provide the necessary assurance to the Board/Senior Management Team on your overall compliance with the GDPR and DPA 2018, the DPO is able to conduct an annual audit, where they will review various data protection activities including DPIAs and training sessions conducted. With each activity, the DPO will seek evidence/records of processing activities.

And The Learning Curve Too!

In addition to our consultancy services, we offer formal training via our 3 day BCS Foundation Certificate in Data Protection (CDP) course, as well as bespoke in-house training to shorten your learning curve if you don’t have internal expertise available. With the 3 day CDP course, you will be able to gain a solid grounding and practical interpretation of data protection legislation and receive clear guidance on topics such as gaining consent and learning when personal data can be disclosed.

In addition, URM can offer a range of tailored on-site DP courses to address your own specific requirements and audience.