What happens if… I have still not done anything about GDPR one year on

On 25 May 2019, it will be exactly one year since the introduction of the GDPR, which aimed to strengthen the UK’s data protection laws and introduced significant fines for those that failed to meet their new duties.

Recent evidence suggests that there may still be hundreds of businesses, particularly SMEs, who are not yet compliant with GDPR.

A recent study by the insurance company Hiscox found that over a third of SMEs still do not know who GDPR affects, while a further one in ten small businesses do not think that individuals have any new rights following its introduction.

So far, the Information Commissioners Office (ICO), which is responsible for the enforcement of the GDPR in the UK, has taken limited formal action against 53 organisations since the GDPR became law.

The ICO indicated that it would seek to give guidance in the first year of the GDPR but would take a stricter approach from then on.

Back to basics

Can your business demonstrate that it meets the six principles of the GDPR when using personal data?

Can your business show:

  1. it processes personal data lawfully, fairly and in a transparent manner?
  2. it collects personal data for a specific, explicit and legitimate purpose?
  3. the data collected is adequate, relevant and limited to what is necessary?
  4. it keeps the data accurate and up to date?
  5. it does not keep the data longer than is necessary?
  6. it keeps data secure.

GDPR is more than obtaining consent to use data. In many cases, consent is not valid or not needed.

Those found in breach of the GDPR could face fines of up to €20 million or four per cent of the worldwide annual revenue of the prior financial year, whichever is higher.  Even sending personal data to a personal email address can be a breach of the GDPR.

Still haven’t done anything yet?

If you have taken little or no steps towards GDPR compliance then it is critical that you seek legal advice now.

Hethertons’ expertise will help you ensure that everything from your privacy policy to your standard contract terms are in line with the GDPR and that you are processing personal data in the most appropriate way.

We can check whether you have the necessary processes in place to deal with a data breach or a subject access request.

You can no longer delay on GDPR and must take the steps required to make sure your business is compliant.

Hethertons’ Business Support Unit can give you expert advice on all aspects of GDPR and how it may affect your business. Call David Scott, on 01904 528223 to see how we can help you.