The GDPR is in force: what’s next?
Don’t panic if GDPR compliance is still on your agenda.
Although the 25th May 2018 was the official deadline by which all businesses must comply with the GDPR, it would be unrealistic for the UK regulator (Information Commissioner’s Office (ICO)) to expect all businesses operating in the UK to be fully compliant by that date.
As we’ve advised many of our clients, it is highly unlikely that the ICO will be handing large fines to smaller businesses at this stage. Whilst the ICO exist to ensure that data protection legislation is complied with by all organisations equally, it is more likely to scrutinise the processing activities and security measures of larger, higher profile organisations in the coming months.
At the time of writing (two weeks after implementation of GDPR) we cannot envisage a situation where a small business or sole trader will be slapped with a significant fine; not least because such fines are likely to be considered disproportionate to the amount of data such entities process, and to the significance and seriousness of any data breach.
The above said, this should not be taken as a green light to sit back and do nothing. The GDPR is clear: all entities processing data for non-private purposes must comply. If you have taken no steps to date, you are highly unlikely to be GDPR compliant.
The first step is to ensure that you have reviewed your processing activities and that this has been documented internally. What data do you hold? Why do you hold that data? What activities are you lawfully able to carry out in respect of that data? Who is the data transferred to, and where are those entities established?
We also highly recommend ensuring that your privacy notices/policies are updated to include the key information the GDPR requires, as well as ensuring that you have the mandatory contractual provisions in place with third party processors to whom you disclose data. You may also require an internal record of processing activities in order to be GDPR compliant.