4th May 2018
In a speech given at the beginning of February 2018, the UK’s Information Commissioner had this to say:
“While there will be no grace period – you’ve had two years to prepare – I know that when 25 May dawns, there will be many organisations that are less than 100 per cent compliant. This is a long haul and preparations will be ongoing. But if you self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, you will find us to be fair. Enforcement will be proportionate and, as it is now, a last resort”.
In this newsletter, we take stock of the position with the latest UK and European-level guidance on GDPR. We then focus on recent guidance covering: the ‘security principle’ and personal data breaches; lawful bases for processing personal data, in particular the ‘legitimate interests’ basis; and requirements regarding documentation.
The Information Commissioner has emphasised previously how the new law is about “greater transparency, enhanced rights for citizens and increased accountability”. It has been described as “an evolution in data protection, not a total revolution” and the message for businesses is that “if you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR”.
Essentially, GDPR is about good business practice: being accountable, transparent and fair; managing data responsibly; giving individuals greater choice and control over how their personal data is used; building a culture of privacy; and integrating data protection into the heart of the business. Looking beyond issues of pure compliance, GDPR provides organisations with an opportunity to innovate, to review and improve data management, and to maximise the potential of their data assets.
We set out a checklist of the practical steps for organisations to take in one of our earlier briefings. However GDPR-ready you are, and whichever sector you operate in, our specialists are here to help with all aspects of GDPR compliance. Please do not hesitate to contact Jeanette Burgess or Andrew Northage if you require any assistance.
Head of Regulatory & Compliance