The business world held its breath as 25 May 2018 came and went, the day which heralded the implementation of the General Data Protection Regulation (GDPR), two years after publication.
Guidance from the Information Commissioner’s Office suggested that the regulator would not necessarily flex its muscles immediately and seek to hit offenders with the maximum penalty (up to €20m or four percent of global turnover) for contraventions, whilst also highlighting the fact that businesses had already had ample time to get their houses in order.
It was over a year before the first major penalties were issued, with proposed fines of £183m and £99m to British Airways and the Marriott hotel chain respectively for failing to keep personal data secure. We can expect an increase in such cases, with possible criminal sanctions for more serious GDPR breaches.
Just as damaging is the bad publicity and reputational harm which a business can suffer following a data subject’s complaint that data has been obtained, stored or shared unlawfully.
For many organisations, it is a relatively straightforward task to conform to the new legislation. However, it is essential that all measures are clearly documented in order to demonstrate this.
Essential steps for any business include:
- Auditing data flow and recording where data enters and leaves the business.
- Documenting the lawful basis for each activity the business carries out with the data.
- Implementing appropriate technical and organisational security measures.
- Updating its contracts, particularly between data controllers and data processors.
- Ensuring that data subjects are able to enforce their rights under the GDPR.
- Sharing all information in an up to date Privacy Notice.