News & Insights

GDPR: One year on

Soraya Salhi, a solicitor in our Commercial & Technology team reviews compliance with the GDPR in the run-up to its first anniversary.

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and published statistics indicate that, since its introduction, data protection authorities across the EU have seen a surge in activity. In the UK the Information Commissioner’s Office has received thousands of complaints from individuals concerned about how their personal data is being used as well as thousands of breach reports from businesses.

Although the new rules have undoubtedly increased awareness among both individuals and businesses, many businesses are still failing to comply with the GDPR (and the Data Protection Act 2018) or have done the bare minimum to comply.

We still come across businesses which have not updated their website privacy policies for GDPR or have made updates to the policy without having made underlying changes to their data processing and security practices. Examples of non-compliance include:

  1. Using data for purposes which are not mentioned in the privacy policy.
  2. Not being clear about the lawful basis for processing (especially for marketing purposes).
  3. Failing to train staff.
  4. Sitting on subject access requests – and then panic as a result.
  5. Struggling to decide on, and implement, appropriate retention periods for data.
  6. Not understanding whether relationships with clients and suppliers are controller/controller or controller/processor.
  7. Not updating the existing data protection clauses in their contracts.
  8. Having overly complicated data protection policies.
  9. Struggling with documentation in relation to international data transfers.
  10. Forgetting about data protection when signing NDAs.

As with any form of compliance, data protection is a risk management issue so prevention is invariably better than cure. In many cases, addressing a few key areas can significantly reduce the risk a business faces – the trick is to work out what are the greatest risks to your particular business and the way it operates and what changes would be appropriate and have greatest effect?

We also recommend that businesses keep their privacy processes under regular review and the first anniversary of the GDPR is an obvious time to do this – to see how the changes you made are working one year on and to identify any further changes which ought to be made.

While there is no shortage of information available online about GDPR compliance you may benefit from having professional advice which is properly tailored to your particular circumstances. If you would like a no-obligation discussion with us about this topic, please contact Soraya Salhi or one of the other members of FSP’s Commercial & Technology team.