For many organisations, the lead up to the GDPR compliance deadline of 25th May was a flurry of opt-ins, opt-outs and cookie preferences. Many small businesses, with their e-mail marketing lists cleansed and their privacy notices now updated, are wanting to put GDPR behind them. Unfortunately, data protection compliance is a marathon not a sprint and there are some important parts of the new legislation that many organisations still need to tackle.
Here at SO Legal we have been advising on all aspects of the new legislation and below are some of the key areas we believe many businesses are yet to address.
You’ve got your clients sorted but what about your employees?
Employees are data subjects too and that means that as well as ensuring they are up to speed on the new rules, as an employer you need to let them know how you will process their data. Relying on employees consent to obtain data, particularly sensitive personal data, is no longer an option – those with a consent clause in their employment contracts should take note. Employers need to ensure they have identified an alternative base for processing and that this information has been communicated to their employees.
Your data processors – IT providers, payroll etc
Where you engage a third-party to process data on your behalf you will need to have a data sharing agreement in place. This third-party is known as a processor and examples include outsourced payroll services or where you use an IT provider to send your marketing emails. Those organisations can only use the personal data on your specific instruction and have no control over what they do with it. Where this is the case you are still responsible for the data and need to take steps to ensure it is dealt with in accordance with the legislation. This agreement is an important aspect of your data protection compliance.
There has been much talk about the increased fees the Information Commissioner can levy under the new legislation, but with the public at large a lot more data-protection savvy given the attention the GDPR has received, consideration also needs to be given to the reputational damage a business could suffer if it doesn’t take steps to comply, or worse, suffers a data breach. Organisations in all sectors will see an increase in clients that are aware of how their data should be handled as well as individuals looking to exercise their data protection rights, such as their right to access or to be forgotten. When a data breach occurs, even if the ICO fine is relatively modest, would you be able to weather the reputational damage that will accompany it?
Arguably the biggest bone of contention for most organisations tackling GDPR compliance has been how to deal with existing mailing lists. Many have panicked and unnecessarily sent an ‘opt-in’ email to all clients, only to find their mailing list decimated, with few clients bothering to reply. An understanding of the marketing regulations and how they interact with the new legislation is essential for ensuring you get marketing right.
Demonstrate, Demonstrate, Demonstrate!
The road to compliance is paved with good intentions and when it comes to GDPR those good intentions will need to be demonstrated and documented. One of the key differences between the new data protection regime and the old is the emphasis on demonstrating your compliance. This means documenting decisions you take, like whether or not to appoint a data protection officer, as well as ensuring you have an adequate retention and destruction policy in place. If the ICO do come knocking, those that are actually able to show what steps they have taken will fare much better than those who cannot.
To help our clients we are offering a FREE 30-minute data protection consultation (subject to T&Cs and availability) where we can discuss your business’ needs, dispel some GDPR myths and let you know how we can help.
Find out more here or call Adele Fields today on 01323 407555 to book your initial consultation.