The 25th May 2018 will be forever etched in the minds of many people, following the myriad of emails they received in the weeks leading up to the implementation of the General Data Protection Regulations (GDPR), reminding them of this important date. Now that it has passed and the GDPR is in force, the way that data protection is regulated across Europe and beyond has changed, affecting both EU citizens who it is designed to protect and organisations required to comply with its terms.
For some, the “big day” was perhaps a little anticlimactic. Teams of regulators did not swoop in issuing hefty €20M fines for incorrectly drafted privacy notices or auditing every small business handling personal data. This reflects the message that the UK’s Information Commissioner’s Office (“ICO”) has been trying to promote over the past few months – that the GDPR should not be seen as a box ticking exercise for organisations to be completed then forgotten about. In contrast to the message that the ICO conveyed in the months following the initial adoption of the GDPR– that businesses had ample time to get ready so should not expect any honeymoon period, after which the ICO’s new enforcement powers, including those large fines, would be used – the ICO’s more recent message is that the 25th May should rather be seen as the start of a new era in relation to data protection, bringing with it a cultural change as to how personal data is processed and protected on an ongoing basis. Their message very much focuses on the fact that businesses must see these changes as continuous obligation and as such they must be able to evidence their ongoing compliance, reflecting the important new accountability principle within the GDPR.
Whilst the ICO and the EU Article 29 Working Party have produced some useful guidance to help organisations understand their compliance obligations, there are some areas in which we do await more detailed answers, such as how to differentiate risk from high risk and determining who exactly requires to appoint a DPO.
In the meantime the key obligation for businesses to address is the requirement to be able to demonstrate GDPR compliance. This means developing an evidence file to show how you are meeting your obligations. It is with this requirement in mind that we have developed GDPR audit, retainer and staff training packages, all of which will help clients address GDPR issues and also contribute to their evidence files.
You can find out more about these services on our website [https://mbm.mltechnology.co.uk/how-we-can-help.html] or from our GDPR team:
Partner, Head of IP, Data & Contracts
Tel: 0131 226 8208
Solicitor, IP Data & Contracts
Tel: 0808 278 3192
Advisor, IP, Data & Contracts
Tel: 0808 278 3192
Attorney (admitted in New York)
IP, Data & Contracts
Tel: 0203 096 0118