The UK General Data Protection Regulation
UK GDPR (Data Protection Act 2018) requires all organisations (large and small) to adhere to its regulations and key principles when processing data that is considered to be about a ‘natural person’ (Note – our exit from the European Union has made no difference to this legal requirement).
In reality, this impacts all organisations that have employees, customers and suppliers that are UK and EU citizens, including those organisations based outside of the UK and EU.
UK GDPR presents a real risk to all organisations due to the nature and size of the financial penalties and also the reputational damage associated with non-compliance. These penalties can add up to £20 million or 4% of the global group turnover, whichever is the higher figure.
How do we assess your UK GDPR compliance?
Our certified UK GDPR consultants meet with your team to audit your current level of compliance
Our initial approach is to undertake a high level audit on your organisations existing baseline compliance status. This audit is aligned to the specific requirements of the legislation. We then review the audit findings and this then forms the basis for the privacy by design plan that we implement as part of our compliance project related activities.
Compliance management is designed to resolve all existing gaps in your organisations compliance with data protection legislation.
What have you done to date to comply with the UK GDPR? What is your approach to privacy management?We will need to understand your overall approach to data privacy management and adherence to data protection key principles. It is important to understand the general culture and how you process personal data. We also need to understand your general approach to risk management and, crucially, the security of that processing – are you keeping the data safe? We document your current compliance status and adherence to all of the main articles of the UK GDPR.
We need to have a detailed understanding of how you process personal identifiable information (PII).
It’s vital to discover the full details of your current processing of personal identifiable information (PII).
We need to identify and evaluate the level of risk exposure and how we can enable you to mitigate those risks whilst demonstrating an effective but pragmatic level of UK GDPR compliance.
Our expertise in digital data management systems complements our legal skills to provide you with an all-round risk assessment of the processing of personal data. This combination of skills and experience is a significant differentiation in value that Data Privacy Services provides in this sector.
We document your processing within a Data Processing Inventory, this is a legal requirement and forms the ‘building block’ of data protection compliance.
What policies and procedures are in place? What data privacy governance is established?
You must be able to demonstrate compliance with the UK GDPR (Data Protection Act 2018, UK).
One of the key ways to achieve this is to have the correct polices and procedures in place (we call this a governance framework of evidence). We advise on any gaps in documentation and how these documents effectively demonstrate compliance.
We will provide all of the necessary documentation requirements if you hire us to complete a GDPR compliance Project. This can be fast tracked based upon our GDPR toolkit of documentation.
We will also develop specific privacy policies and notices for specific purposes such as your organisations website, employees and users of other applications such as CRM solutions.
Are you training your employees? Are you communicating your data protection approach?
We assess how you are currently training your team and communicating with them regarding their own rights as ‘data subjects’ as well as their obligations within the workplace.
We also review your overall communications, especially with third parties, so that you collectively demonstrate compliance (e.g. your controller to processor relationships).
Note – we can also provide a range of training courses to enable your organisation to demonstrate how it meets this key area of compliance.
Compliance services you can trust
How long will it take for my organisation to be compliant?
This very much depends upon your chosen approach. If you engage Data Privacy Services to undertake a UK GDPR compliance Project this will typically take up to about six weeks in duration.
To start with we assess the compliance status and then review your processing of personal data by producing the Data Processing Inventory (e.g. a ROPA). This is an important legal requirement but it also forms the building block of compliance as it is used to assess the risks of the processing.
We then take a risk based approach to bridging the gaps in compliance which usually involves developing the missing documentation, implementing processes and procedures and ensuring that there is suitable training in place.
All of this does take time, but usually we get this all done within a six week period.
We take on the compliance overhead
How much of an overhead is this on the organisations employees?
Our team of professional accredited UK GDPR consultants and DPO’s can assist your organisation to achieve full compliance in a matter of weeks.
We do have to work with an appointed person within your organisation so that we have a single point of contact that can assist us with information, existing documentation and also be on hand to answer any queries that we may have.
Overall, our UK GDPR compliance Projects are not a significant overhead on the organisations management team and staff members. We like to believe that we are fairly ‘self-sufficient’ in the way that we manage the delivery of data protection compliance.
There is a need for catch up meetings, interaction with some subject matter experts (especially during the development of the Data Processing Inventory) and IT for review of the digital systems.