General Data Protection Regulation (GDPR) is often seen as yet another piece of legislation that puts more obligations on a business. Non-compliance can be damaging, however, many business managers have yet to take simple steps towards protecting against risks relating to GDPR.  Becoming compliant needn’t be over complicated. This piece explores how to simplify your processes and to reduce exposure to GDPR related risk.

A risk based approach to GDPR

Managing data protection obligations has come into clearer focus over the last few years due to the additional regulatory requirements imposed by the GDPR. There is a very real threat of this legislation becoming a divisive tool in the event of legal action against the organisation. There are three distinct categories of activity that any organisation should consider to evaluate their level of data protection maturity:

1. Gap analysis to identify exposures
2. A plan of action to understand the risks and close vulnerabilities
3. A clear and simple ‘monitoring, reporting and reaction’ plan for ongoing management and oversight

This may sound simple, and these activities may overlap, however, segmenting your approach in this manner brings clarity. It enables you to impose structure on those engaged to manage these obligations for the organisation. These steps will enable a risk based approach and position the organisation to embed a culture of data protection. They will also minimise the effort required to remain compliant.

Where the risks from GDPR will come from

The risk of liability will typically come from members of staff, your customers/suppliers, or from criminality.

Employees and GDPR Compliance

There are many issues to consider in relation to Staff however, these three are likely to help you to significantly reduce risk;

1. Have a well written data protection terms in your employee contracts or handbook. Remember to cover the use of e-mail, social media and use of ‘work based’ personal data in the event of an Access Request.
2. Electronic Surveillance; this is the most likely activity for a solicitor to focus on in the event of conflict. Significant awards have been awarded for infringements relating to the monitoring of staff in the workplace. If you use cctv, voice recording, biometric time and attendance or GPS tracking you need to ensure this data is used lawfully. Reliance on data used unlawfully can jeopardise a case and an opposing lawyer will know this. Real caution is advisable.
3. Training; provide your staff with appropriate ‘street wise’ GDPR training and they are less likely to inadvertently cause you a liability.

Customers or suppliers and GDPR Compliance

Where a customer or supplier owes you money, has a complaint or is exposed to a liability themselves and they seek legal advice, they are likely to use any GDPR infringements by you to their benefit. The top actions to protect yourself from claims are to;

1. Have well written data protection clause in contracts with customers and suppliers
2. Where they provide you with 3^rd party personal date (their employees & etc) ensure that they warrant that that data has been obtained lawfully
3. Cater for the transfer of debt and use of sub-contractors.

Cyber attack and GDPR Compliance

This is becoming an increasingly relevant concern to all organisations as ill-doers are becoming more aware to the value of personal data, how easy it is to sell it on the dark web, and that controllers will often pay to retrieve their data (rather than it to be made public). There are many element to an organisation’s defence against criminality, however, some common items requiring attention are;

1. Keeping paper documents secure, particularly the personal data of customers or clients.
2. Knowing where your digital data is processed and how it is used. Many organisations do not know where their data is, often somewhere in the cloud or on e-mails or on managed services, and do not have a full picture of how that data is processed. A simple data flow map that is easily understood by management can be very informative and a practical solution.
3. Good housekeeping; Keep anti-virus and firewall software up to date and systematically examine access logs to your IT systems and secure locations.
4. Most staff have a positive approach to data security when their responsibilities and obligations are explained in a clear manner and without the legal mumble-jumble.

How to manage risk from data protection regulation

A measured response to GDPR

The management of your obligations should be proportionate to the scale and nature of the organisation and while regulated industries require a greater level of oversight and accountability, the 80/20 typically applies. You can enjoy 80% of the effect from 20% of effort. Getting the basics right will protect you from the majority of potential liabilities.

Be aware of false positives

Many organisations have documentation or processes in place to manage GDPR obligations that are high on good intent, however, often miss key elements that;

• A claimant’s solicitor will focus upon in the event of a claim
• Are designed to protect the organisation form harm
• Can be implemented in practice in the context of a particular industry

Top offenders are often the IT department or a legal person with a surface level knowledge of the relevant legislation. A maturity analysis in the context of your current preparedness for a GDPR related claim may close many gaps and minimise your exposure to risk.

Remaining compliant

The basics are simple;

• Know the purpose and basis for processing personal data
• Have the basic data protection policies in place
• Inform subjects of their rights
• Have an ‘Access Request’ and ‘Breach’ process in place
• Keep personal data secure

These are the basics that a lawyer will require to protect you in the event of GDPR being used in a claim against you.

You can find free ‘Access Request’ and ‘Breach’ processes here.

Getting professional support

We understand that all organisations are different. If you could benefit from practical assistance to reduce your exposure to risk form GDPR or to streamline your processes, please feel free to contact us for a confidential initial conversation.