Cheshire law firm, SAS Daniels LLP, is sharing the outline of its project plan to be fully compliant with the new General Data Protection Regulation (GDPR), in the hope it can help other local businesses in their preparations.
GDPR is the new EU regulation to harmonise data protection legislation across the EU and bring it into line with the modern ways data is used. GDPR will replace the outdated Data Protection Act 1998 in the UK and Brexit is likely to have little impact on its implementation into UK Law.
With a multi-disciplinary project team in place since May 2017, SAS Daniels is on track to be fully compliant with the new data regulation by the 25th May 2018 deadline. In order to help other local businesses navigate the changes, it has released the outline of its project plan that other businesses can follow.
Russell Oseman, Chief Operating Officer at SAS Daniels and leader of the GDPR project said: “GDPR will affect every business, from SMEs to FTSE 100 companies so all local businesses need to prepare to make significant changes as to how they manage individuals’ (data subjects’) personal data.
“The sheer volume of information available around GDPR makes it very daunting to plan for the changes. We’ve realised, however, since the inception of our project team last year, that it needn’t be overly complicated, and there is a logical structure to follow that can be implemented in any business.
“We operate in a regulated environment, so are used to compliance and risk management principles, as well as having an in-house legal knowledge of data protection, so this has given us an advantage.
“Through our own GDPR preparations and discussions with fellow businesses, what becomes quickly apparent is that many believe only changes to IT systems are required and this is a huge misconception.
“The changes required to become compliant are business wide and span organisational, contractual, cultural and IT changes.
“That’s why we have a multi-disciplinary GDPR project team which includes a project manager, business analyst, IT and marketing representatives and a legal partner. Meanwhile, the work of the project team is regularly circulated to every person in the firm to ensure the cultural shift needed is happening, and everyone understands the importance of the project, including their involvement in it as an individual.
“With GDPR less than six months away, if you haven’t started preparing for it then you need to. We’re hoping that our own learnings and subsequent project plan will help other local companies to successfully transition from the current Data Protection Act to being GDPR compliant by the May deadline, with no unnecessary disruption to its day-to-day running.”
Businesses who are non-compliant or breach GDPR face tougher penalties and fines. The new regulation brings a number of changes with the most significant being; increased rights for data subjects to request access to their personal data, higher standards of consent, increased responsibilities for controllers and processors, shorter time limits for reporting and an increase in powers for supervisory bodies.
The eight-step plan from SAS Daniels to ensure a best-practice approach to being GDPR ready is:
1. Awareness and Communication
Gain the awareness and commitment of the Board and establish a plan to demonstrate the actions you are taking to all parties impacted (clients, suppliers, intermediaries, employees) so they can be confident in your future GDPR compliance.
2. Data audit and analysis
Outline your business or service in terms of data flows, noting the data types, processes and parties involved.
Think Who’s data do you store? What data do you request? Why do you hold the data? How do you gain consent? Where do you store it? How do you process the data? Who do you share the data with? This analysis will help to identify the gaps and areas for improvement – a good starting point to any GDPR project.
3. IT and information security review
What are the potential improvements you can make to security? Ensure you can visibly demonstrate the security arrangements you put in place.
4. Privacy impact assessment
Review your systems to see where you can minimise the amount of personal data you ask for, and design any new systems with the impact on privacy in mind.
5. Review of data protection procedures and policies
Look at how you control personal data, handle data subject access requests and report data breaches.
6. Review of organisation
Align responsibilities to new procedures and consider your organisational requirement for appointing a Data Protection Officer (DPO), internally or externally.
7. Review of contracts
Establish what changes are required to contracts with clients, suppliers, intermediaries and employees.
8. Recommendations and actions
What actions are required as a result of the first eight steps? Take these and, like us, you’ll be in line to be fully GDPR compliant by 25th May 2018.
Russell added: “Our step-by-step plan ensures both logic and structure are applied. Breaking it down in this way makes it manageable for your business and gives you clarity in an area that is perceived as over-complicated. Clear communication allows you to demonstrate the actions you are taking to ensure GDPR compliance so that clients, suppliers, intermediaries and employees can be confident in your approach to data protection.”
Kaye Whitby, Partner and Head of Commercial Law, at SAS Daniels said: “The GDPR is an evolution, businesses must take action to ensure they know what they must do and how to do it. We are advising clients of different sizes, across various sectors to achieve compliance and to make sure their internal and external documents protect their ‘information assets’ used for commercial advantage.
“There will be increased scrutiny and we can help you from a legal perspective to protect your business and avoid criminal liability and significant fines.”