GDPR compliance

What is GDPR compliance?

In May 2018, the General Data Protection Regulation (GDPR) became legally enforceable.  Unlike the previous Data Protection Act 1998, the new legislation requires you to be accountable for the personal data you hold in your organisation and demonstrate – on demand – how you comply. Simply reassuring someone you comply is no longer sufficient.

Many companies struggle with this – and certainly struggle to interpret what “compliance” is – and that is where Privacy Helper comes in.

Our team are experts in quickly identifying your core areas of risk and how to address these to ensure you are compliant.

What is GDPR compliance? How does it differ from the Data Protection Act 1998?

The GDPR is very different – which is why so many companies struggle to understand how their obligations have changed.

The Data Protection Act 1998 was an EU Directive that was enshrined in UK law. This was a general set of guidelines that EU member states could interpret based on their own national laws.

The GDPR changed all of this and is an EU Regulation (that has been enshrined in UK law in the form of the Data Protection Act 2018.  All member states (yes, we are still included after Brexit) must abide by and is enforceable by law.

The changes brought in by the GDPR affect the whole business – not one specific area. To ensure this is communicated effectively, it is vital staff are trained on what compliance is and what it means. 

Training is one of the many privacy services we offer – and each session is tailored to the needs of your business and the types of personal data used.  The ICO consider training such a vital element of your GDPR compliance, that, in the event of a breach, they will look favourably on companies that have a training schedule in place. Contact us today to ensure this area of GDPR compliance is covered.

To understand what compliance is, you must first understand what personal data is – sounds simple enough, but it surprises many people. Personal data is defined as: “any information that relates to an identifiable living person”

This includes business emails addresses involving the any part of the name of the individual. Generic email addresses are not included.

How to achieve GDPR compliance

Data Audit

The first step is to conduct a data audit – an analysis of what personal data you have in the business, and where. Part of this will be to find out where it comes from and where it is sent to (and how). Is it retained by the business, or sent to an external 3rd party?

This is an essential first stage and with many companies unsure of exactly what they are looking for, it is outsourced to specialist consultancies who can do the job quickly and accurately.

Our team have carried out over 250 audits since 2018 and can discover your personal data flows and expose your risks in just a couple of days, delivering a comprehensive report outlining your GDPR compliance roadmap.

Data Security

The second step is to understand what data security measures you have in place. Do you use encryption methods, or do you pseudonymise personal data when at rest? Off the back of the first step audit, you should know what types of personal data are stored by the business, so you can begin implementing appropriate technical and security measures to protect this.

This is where the skillsets between IT developers and privacy specialists cross-over. Many developers are aware of security measures such as encryption, two-factor authentication and role-based access, but don’t know their obligations around its use in privacy. Our technical specialists are on hand to advise and work through this with them. Get in touch to discuss this element.

Accountability and Governance

Someone in your business needs to take responsibility for your GDPR programme – and for ensuring data protection is an on-going consideration in the business.  

It will be their responsibility to ensure that any remediation programme you are working to remains on schedule and any obstacles this meets are overcome. 

Maintaining a register of staff training activities will be key to their role – both new starters and refreshers for existing staff.

While this person is the internal contact, they may not be suitable to assume the role of Data Protection Officer (DPO) if the business requires one. An internal DPO appointment may create a conflict of interests, which goes against the nature of the GDPR.

Get in touch with us to gauge our thoughts on this, or see our Specialist DPO page to see how we can help support your named member of staff.

Privacy Rights

People have a right to see and understand what personal data you hold about them and how it is used – they also have a right to know how long you will retain a copy of it, and your reasons for this.

As part of your GDPR compliance effort, you should ensure you are able to recognise these requests when they are received – as Subject Access Request is sometimes made in another form, and your staff need to be aware of what to look for.

Individuals have a right to:

• Correct or update personal data you hold on them - This is at any time… and with ease!

• Request deletion of their personal data - HOWEVER, there are many circumstances in which this deletion request cannot be actioned or actioned in-part and your understanding of this will reflect on your level of GDPR compliance.

• Customers should be able to ask you to stop processing their data at any time - Your ability to action this request will depend on the level of detail your data audit went into – it’s important to know exactly where specific datasets are held.

• Data subjects should be able to request you send a copy of their personal data in a readable format to another company - This may seem unfair from a business competition perspective, but from a privacy perspective, the data subject owns that data, not you!

• Data subjects can object to a specific processing activity - Especially direct marketing. Essential if you use “legitimate interest” as your legal basis and someone opts out of marketing.

• If you make decisions about people based on automated processes, you have a duty to protect their rights - If decisions are made based on these automated processes, you’ll need to demonstrate you have a right to do so – and have conducted a Data Privacy Impact Assessment.

What does non-compliance mean?

Non-compliance puts you in a difficult position. It may have little, or no effect on the business now, but at some point in the future, you will receive a request from a data subject wishing to exercise their rights, or a prospect asking you to demonstrate your compliance before engaging with you.

In both instances, it may be too late – as we have explained, GDPR compliance is a complex journey and, while there are plenty of “quick wins” that set you on this path, the processes and policies that your prospects will be looking for are not created overnight.

This is not forgetting the potential fines that the data protection regulators are now imposing:

• Non-compliance with the Regulation´s security standards can result in a fine of up to €10 million or 2% of global annual turnover – whichever is the higher.

• Non-compliance with the Regulation´s privacy standards can result in a fine up to €20 million or 4% of global annual turnover – whichever is the higher.

Ensure you are able to demonstrate GDPR compliance by contacting our team now – we’ll work with you in a manageable way.

How much will GDPR compliance cost me?

Without knowing your business, or what you have done to date, it’s difficult to say – but as with our ethos, our pricing structure is simple, straightforward and highly competitive – there are no “day rates”, you only pay for the time we work! 

We charge £125 per hour (plus VAT), per consultant, irrespective of the task, or engagement. This is highly competitive compared to other London GDPR consultancy services – why pay more for GDPR compliance, if you still have access to the experts?

When on site, our working day is 9am – 5pm.  For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £1,250 + VAT.

Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!

New Clients
If you are a new client, we require 50% of the engagement invoice to be paid at the time of booking, with the remainder (plus any expenses) due within 48 hours of the completed project being delivered. 

We hope this gives clients the confidence of engaging with us – proving that we’re committed to providing you with a first-class professional service data protection service and one that you will be confident to tell your business network about.

Existing Clients
We believe in making it easy for our clients to work with us long-term, without needing to sign off each project – this can be a strain on administration and internal resources.

By signing off a batch of days or hours, these can be drawn upon by the team when required.  At the end of each month, we raise an invoice based on the tasks worked on, using your main PO as a reference.

Get in touch today to speak to our specialist consultants and let us take the worry out of your GDPR programme – it could be the best call you make today to give your business the confidence it needs to tackle this obstacle.