Over two years since the much-heralded introduction of the GDPR, some businesses are still struggling to understand and implement many of the law’s principle requirements. Many business leaders now see the GDPR as an issue largely affecting their IT teams and some even wonder if the GDPR still applies now that the UK has left the EU. The focus on data protection and risk of imminent fines has been replaced by a sense that we’ve all been swept away by the hype.

But the requirements of the GDPR and the associated fines for non-compliance are still very real. Even during a global pandemic, the responsibilities of businesses - and business leaders as legally culpable individuals – to ensure the fair treatment of individuals with regards to the security and usage of their personal data, remains.

At norm. our lawyer-led data protection team act as outsourced DPOs for businesses across the UK. We hear the same questions from business leaders time and time again, which is why we’ve created a refresher guide on what the GDPR is, what your responsibilities are and why it should matter.

The General Data Protection Regulation (GDPR) is the EU law on data protection and privacy in the European Union and the European Economic Area. It came into effect on 25th May, 2018. Even though the UK has left the EU, it still has a direct impact on UK law and applies until the end of the agreed transition period (currently 31 December 2020).

After this date, it will continue to form part of UK law with some technical changes to make it work effectively in a UK context. In practice it’s about the fair and proper use of information about people.

According to the Information Commissioners Office (ICO): “ …it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society”.

One of the key objectives of the GDPR is to remove barriers to trade by enabling the free flow of personal data across borders within the European Economic Area, by providing one set of data protection and privacy rules that apply to all. To fully appreciate the benefits of the GDPR contrast it with the situation in the USA, where there is no federal data protection or privacy law and each of the 50 states has its own ‘rules’.

The GDPR applies to any organisation that has personal data about people for any business purpose. The law applies to any processing of personal data, and is relevant to most organisations, whatever their size.

What does that mean in practice?

The GDPR puts a legal responsibility on businesses of all sizes to:

• Recognise that their role in relation to the personal data they are processing is crucial in ensuring compliance with the GDPR and the fair treatment of individuals
• Understand that the obligations of a business under the GDPR vary depending on whether they are a ‘controller’ or ‘processor’ (and how those two roles differ)

The GDPR doesn’t set many absolute rules, instead taking a risk-based approach to some key principles. That means it’s flexible and can be applied to a range of situations, but it puts the onus on businesses to:

• Think about - and take responsibility for - the specific ways they use personal data
• Assess and document the personal data and processing activities it carries out
• Consider not only its own security measures, but also those of other organisations (those that are its ‘data processors’)

It also emphasises the need for organisations to not only be compliant with the GDPR, but also to demonstrate that compliance. The ICO has published its Accountability Framework to assist companies with this task.

Perhaps the most significant realisation most businesses and business leaders need to have is that compliance with the GDPR is not a ‘one-off‘ exercise, but something that requires regular monitoring at the most senior level.

People are more aware than ever of the impact of data protection on their personal lives. They increasingly understand that personal data is the currency that makes services possible, and they’re thinking carefully about the trade-offs of sharing personal information.

Respecting people’s privacy is becoming an expectation and failure to understand this means, in many cases, the ‘court of public opinion’ can be far more damaging to a business than the actual law. Just look at Cambridge Analytica for examples.

This means it’s more important than ever that - for commercial, let alone legal reasons - businesses are transparent with people regarding what is done with their data.

Organisations that are found to have breached the GDPR - for example by not having fundamental cyber security controls in place to protect personal information, can face fines of up to €20 million or 4% of annual turnover, whichever is greater. You can find out more about the latest GDPR fines here.

The business benefits of the GDPR There are some specific ways in which data protection and privacy protection can add value to your business:

Avoid losing valuable business relationships

By not complying with contractual requirements for privacy protections.

Strengthen and grow business

Fewer breaches mean less risk of incurring fines or losing trust, and as a result losing customers and compromising other revenue streams. Businesses that explicitly make clear that data protection is a priority and can demonstrate this will build emotional connections to their brand, which will improve brand value and customer loyalty. Businesses that implement privacy protections, which provide such controls, will become preferred by customers over competitors which do not provide such controls.

Support ethics

Most businesses have established ethics policies, or a code of ethics. Such ethics policies typically indicate something to the effect that information will be handled responsibly. These ethics will conflict with actions or inactions that risk harm to people’s personal data.

Respect customer rights

The general public is much more privacy-aware now than it has ever been. Individuals are also becoming more aware of their increasing rights, including access to and control over their personal data. Demonstrating that you understand and respect your customers’ personal data goes a long way to fostering long-term, sustainable relationships based on trust.

DPO means Data Protection Officer and plays an important role in compliance with the GDPR. Whilst not compulsory for all businesses, the GDPR requires organisations to appoint a Data Protection Officer (DPO) in certain circumstances.

The Information Commissioner’s Office (ICO) expects voluntary appointments in many other circumstances.

The ICO has stated that “Even if you’re not obliged to appoint a DPO, it is very important that you have sufficient staff, skills and reporting structures in place to meet your obligations under the GDPR”.

Furthermore, the GDPR requires that “The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level”.

The appointment of a DPO is vital to supporting businesses with the following:

• Understanding their role in relation to the personal data they are processing
• Taking responsibility for the specific ways it uses personal data
• Documenting the personal data processing activities it carries out
• Assessing its own security measures and those of its data processors
  
  

In addition, a DPO will:

• Monitor an organisation’s internal compliance with the GDPR
• Provide information and advice on its data protection obligations
• Provide guidance regarding Data Protection Impact Assessments (DPIAs)
• Act as a contact point for data protection and privacy issues

A good DPO will…

…act as a strategic adviser to the business as a whole, not just in regard to protecting personal data and its subjects. Data and the insights it provides can be used to shape product and service development, to give insights into customer behaviour and to improve customer service and relationships An effective DPO will ensure that an organisation is able to use data in a way that benefits all parties, while fostering trust and sustainability between them.

Click here to complete our ten minute GDPR assessment and find out whether your organisation is compliant with the GDPR.