New data protection laws may have made a lot of headlines in recent weeks and months, but if you’re still not fully sure of your obligations then you’re not alone.

Many businesses have struggled to fully understand the scope of the new rules, or are unsure of how to comply with them.

If that sounds familiar, don’t worry! We have been working with Aimee Stuart, a Law Society of Scotland-award-winning trainee solicitor at Stuart & Co, to break down the regulations and detail the steps your business needs to take to stay on the right side of the law.

For those that are worried about GDPR, Stuart & Co has you covered. Just scroll to the bottom of this article for details of their all-in-one GDPR offer.

First of all, what is GDPR?

The General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998 on 25th May 2018.

It covers how businesses must protect and process personal data belonging to both staff and customers

What’s in the new legislation?

“The GDPR provides that living individuals who are members of the European Economic Area have the fundamental right to have their personal data protected,” says Aimee.

“Personal data may only be processed, i.e. obtained, recorded, held, used or disclosed, under certain circumstances.

“GDPR has increased the definition of personal data to include IP addresses and mobile device IDs. In some cases, even data that has been pseudonymised (security key-coded, for example) may qualify. All such data must be held securely for no longer than is necessary. “

This is a European law. Can I just wait until Brexit happens?

No!

“Every business operating in the UK must comply with the GDPR,” says Aimee. “The Regulation will affect the UK regardless of Brexit as the GDPR applies to any party  processing EU citizens’ personal data wherever that party is located.”

How will non-compliance be punished?

Significant fines and reputational damage.

Aimee says: “Failure to protect personal data could be considered a failure by any director to promote the success of their company (s.172 Companies Act 2006). It may also be seen as a failure to exercise reasonable care, skill and diligence, which could result in an action for damages against an individual director and/or their termination or disqualification from office.

“Given this, now is the time to review, take control of personal data, and make any necessary changes to processes.”

What does my business need to do?

Firstly, a business must establish:-

  • what personal data it holds
  • why it has such data
  • who can access this personal data
  • what it is intending to do with this data

“This is not a one-off exercise but must be an evolving record which is constantly updated,” says Aimee. “Businesses cannot hold or process data unless there is a legal basis i.e. at least one of the provisions in Article 6 of the GDPR applies.

“Where consent is relied upon as a lawful basis for the use of personal data, to process personal data it must be based on clear affirmative action, freely given, specific, informed and unambiguous.”

Secondly, there must be a positive “opt-in” which cannot be inferred by an individual’s silence, pre-ticked boxes or inactivity.

Aimee adds: “This means requests for consent should be separate from other terms and conditions and needs to be written in clear, plain language.”
Third, businesses are required to establish who will maintain their data register and promote a culture which permits adherence to the regulation. This requires more than creating new policy documents but involves:

  • dealing timeously with subject access requests
  • housekeeping the ebb and flow of data subject consents
  • reporting timeously any breaches which arise

Clear policies and procedures and staff training will help businesses achieve compliance.

Anything else?

Aimee says: “Businesses must make available sufficient resources – financial, technological and in terms of human resources – to promote compliance with the GDPR.”

This should include:

  • Staff training programmes for staff of all levels
  • Providing internal policies to staff outlining their requirement to comply with the new Regulation and outlining the company’s policy regarding the retention of staff personal data
  • A non exhaustive list of company documents and policies should include:
    • a GDPR Policy
    • a Data Retention Policy
    • a Communications Policy
    • a Bring Your Own Device to Work (BYOD) Policy
    • an Employee Privacy Notice
    • a letter from the company to employees outlining compliance requirements and the company’s policy regarding staff personal data
    • an update of Web Terms and Conditions
    • an update of your web Privacy Policy
  • A review the company’s technology, and digital collection, processing and storage of personal data to ensure compliance with the new Regulation. This is best done by creating a data flow diagram as an audit trail document.

This article was collated with extensive help by Aimee Stuart of Stuart & Co. Aimee completed the Diploma in Legal Practice with Distinction from The University of Aberdeen. She graduated in 2016 from The University of Aberdeen with a 2:1 LLB Law (Honours), and won the Law Society of Scotland DPLP Prize.

Stuart & Co is an IT and Intellectual Property specialist, qualified to conduct work throughout the UK. It serves more than 200 technology clients ranging from start-ups to international brands.

We can’t do this all this GDPR stuff by ourselves. Help!

Stuart & Co is currently offering an all-in-one service to help businesses become GDPR compliant, including a comprehensive GDPR compliance pack for a fixed price of £750.

To discuss your specific GDPR requirements, contact Alan Stuart on 0131 467 1708 or [email protected] … and please don’t forget to mention that seoBusiness recommended them.

Discuss Your Project With Us

You can either give us a call on 01254 279998

Or complete the contact form below and a member of our team will call you back.

Added by seoBusiness on 22nd May 2018 in Latest News