Data Protection and GDPR

In a data rich world and as good business managers, a thorough understanding of procedure and protocol is at the heart of best business practice. Document Lifestyle Management make sure that you are aware of the reality of all legislation concerning GDPR and the Data Protection Act, and tick all the boxes. This includes safety and security, and how to entrust data with customers, suppliers and staff. Whether you wish to be self-led or expert-led, DLM Group are here to guide you step-by-step on the path to compliance.

What is GDPR?
This was approved by the EU on 14 April 2016 and enforcement started on 25 May 2018 – organisations in non-compliance will face heavy fines from this date. GDPR replaces the Data Protection Directive 95/46/EC and the aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven environment and many changes have been proposed to the regulatory policies. The Data Protection Act 2018 is now in the UK but it affects all business around the world.

Questions to ask yourself are:

  • Do you sell to UK or the EEA area?
  • Do you monitor people in Europe or UK?
  • Do you employ European or UK citizens?
  • Do you store or share data with suppliers or clients in other territories?

What does it mean for business management?
The biggest change to the data privacy regulation is the extended powers of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. This has arisen in a number of high profile court cases.

Under GDPR, organisations in breach of the rules can be fined up to 4% of annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data. Also, consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.

Privacy Impact Assessments (PIAs) – these need to be completed by either someone within your business or by a third party expert – this will help you identify and reduce the privacy risks of your projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data.

A Data Protection Officer (DPO) is a service that is required by the General Data Protection Regulation. It is for anyone dealing with large amounts of data and every business should consider appointing a DPO – once they have had a PIA this will identify to what level. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. A DPO can’t be a controller or someone who processes where a conflict can exist.

Currently, controllers are required to notify their data processing activities with local Data Protection Agencies, which, for many, can be a bureaucratic nightmare. Also, the DPO must be appointed on the basis of expert knowledge on data protection law and practices and must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge. A DPO cannot be a processor or controller where a conflict can exist .

Document Lifestyle Management provides businesses with the following services:

  • GDPR compliance and data protection
  • Data Protection Officer services
  • Privacy Impact Assessments
  • Business process optimisation
  • EU representation/Data Controller representation
  • Representation in other territories

Contact us about how we can help you
To find out more about GDPR and document management, please call on 01903 255389 or join our free membership service via the Expert’s Corner page.