Under the Data Protection Act 1998 all businesses in the UK that hold data about clients, contractors and employees (all referred to as "data subjects"), must have legal grounds for doing so. Historically, this has often been on the grounds of the data subject's consent, which is not defined in the legislation, but is described in EU data protection directives as being 'freely given', 'specific', 'informed' and 'unambiguous'. Business's could even hold data without active consent if passive consent was deemed to be in a 'totally unambiguous context'.
The General Data Protection Regulations, which will be enforced from May 25th this year, place a much higher threshold on the consent that busineses need to demonstrate in order to process a data subject's personal, or sensitive personal data. So much higher is this threshold, that we believe businesses would be ill advised to rely solely on 'consent' as grounds for processing data. Instead they should be able to demonstrate that the date is also held on legitimate, justifiable grounds under GDPR, such as contractual obligation, or compliance with Employment laws.
Additionally, compliance with GDPR means that businesses must:
Demonstrate that they acquire, retain, process, share, and dispose of data in a way that is GDPR compliant.
Demonstrate that they operate in a way that is fully compatible with data subject's rights under GDPR, including their 'right to be forgotten'.
Prove that new business undertakings are carried out with data privacy assessments at the heart of their decision making process, not something looked at as an afterthought
Have their policies (including their privacy notices) up to date, and provide evidence that compliance with this policy is something that is actively communicated through team training, regular updates and reviews, and briefings as to what every employee must do on a practical, daily basis to ensure that their practices are compliant.
Whereas a breach of the Data Protection Act could lead to a fine of up to £500K, the Information Commissioner's Office can issue fines of up to 20 million Euros or 4% of a business's takings for the past 12 months: Crippling for a large business and devastating for a medium to small one; not to mention the impact of damage to their reputation.
Preparing for this sounds like, and indeed is, a lot of work, and unlike some compliance measures, GDPR compliance is an everyday ongoing part of business activities; as opposed to, say, an annual insurance review and renewal.
This does not mean however, that it should be overly onerous, or that once it is incorporated into the everyday practices of your business, it should be too time consuming. Most of all, it need not be too expensive.
Since GDPR came on to the horizon, there have been a number of consultancies who have set themselves up to charge several thousand (or even tens of thousands) pounds to conduct GDPR audits. Vallum has put together a package that we are confident will provide businesses with the tools they need to become GDPR compliant. We can do much of the initial work for you; and while we will not able to do everything for you in the future, we can set you up with everything you need today; and for a far more competitive price than is often advertised in the current market.
We have implemented our initial package into two businesses in the last 4 weeks, one of which deals not just with personal data, but with sensitive personal data, including medical records (a 'baptism of fire' for the tools we have produced). In both cases our feedback has been that we have left our clients set up for success, and most important, a licence to operate with peace of mind.