Since its inception in 2018, GDPR Data Protection has evolved rapidly, and keeping up to date can be daunting for many businesses. Clients have also expressed increased concern about the effects of Brexit on their data protection compliance, and are anxious to know their obligations under the UK GDPR.
If we made sure that we were compliant with data protection law in 2018, do we need to do anything now?
Yes, it is very important to ensure that you review data protection compliance regularly. Not only does processing change over time, but case law and guidance from the ICO (the UK regulator) since the GDPR came into force should also be taken into account. Brexit may also mean that you need to look at your policies and procedures and make any necessary changes.
The ICO recommends that businesses carry out regular reviews of processing and, where appropriate, update privacy information and other documentation.
What are the risks if we fail to comply with the UK GDPR?
Potential fines can be significant - up to £17.5million or 4% of total annual worldwide turnover, whichever is higher. Supervisory authorities have shown recently that they are not afraid of imposing large fines and record-breaking fines have been imposed since the GDPR was implemented. The largest fine to date was €50 million (or £43.2 million) which the French Regulator imposed on Google for various failures to comply with data protection law.
Reputational risk for failure to comply with the law should also be taken into account - data is very important to many businesses and if customers are concerned that you will not handle their data correctly then they may be unwilling to provide it to you. Cyber attacks can also expose inadequate policies and procedures.
What is the best way to review data protection compliance?
Audits are an effective way of identifying any errors or areas that require attention. Many businesses put in place policies and procedures (in many cases under significant time pressure) before the implementation of the GDPR but have not reviewed their compliance since then, which means that there may be gaps in compliance or issues you are not aware of. Such issues might only come to light if there is a data breach, subject access request or ICO investigation - by which point it may well be too late to fix the problem.
Is employee training important?
Training staff is an important step, not only because it helps to reduce the risk of a data breach. Employees are a key part of ensuring your business complies with data protection law, so they must be reminded of their obligations and responsibilities to the business. For example, the effectiveness of a good policy on subject access requests can be limited if employees do not know exactly what they need to do if they receive such a request.
We are an overseas company, do we need to comply with the UK GDPR?
The UK GDPR has an extra-territorial effect. Generally speaking, this means that it applies to businesses with an establishment in the UK (such as a UK branch), and those which (a) ‘target’ individuals in the UK by offering them goods or services; or (b) ‘monitor’ their behaviour, so far as their behaviour takes place in the UK. If you are unsure as to whether the UK GDPR applies to you, it is important to seek advice concerning your particular circumstances.
3CS offer an annual compliance service which includes: an audit to identify any gaps in your compliance before they become an issue, amending your documents where required, training for employees, and advice on urgent issues such as data breaches or investigations.
If you require assistance with data protection law or if you would like more information about our annual GDPR compliance service, please contact your 3CS consultant or the Corporate and Commercial department at 3CS.