GDPR, EU Regulation
A new EU regulation will soon come into effect that will impact how all organisations collect and process people’s personal data. Known as the General Data Protection Regulation, GDPR will become law on 25th May 2018.
As we approach May 2018, we are currently focused on our GDPR compliance efforts. During our implementation period for the Regulation, we are evaluating the new requirements and restrictions imposed by the GDPR and will take any action necessary and/or appropriate to ensure that we handle personal data in compliance with applicable law by the 2018 deadline.
Our clients will receive updated terms of business based on changes that we’ve implemented and this will be rolled out, early in 2018.
We utilise many industry standard information systems and secure third-party cloud based solutions, all with restricted access to client data by our employees and agents. Our emails and website are also encrypted for extra safety for situations where an exchange of personal data may take place. As a company, we only hold personal details on our clients that is necessary for the lawful processing activities associated with the delivery of our products and services. With an established lawful basis for such processing, we anticipate a smooth transition for when GDPR arrives and takes full effect.
For more information on GDPR or our data collection policy, please email:
Frequently Asked Questions
What is GDPR?
In May 2018, the General Data Protection Regulation (GDPR), introduced by the European Union, will come into effect.
The General Data Protection Regulation (GDPR) is the result of 4 years of work by EU member states to address new data threats. As compared with the Data Protection Act, it introduces stiffer fines for companies which are not compliant and gives consumers and data subjects greater control over the ways in which their personal data is being used. In addition, it makes these new protection rules consistent throughout the EU and worldwide for organisations seeking to do business with EU Citizens.
Are you GDPR compliant?
Although GDPR went into effect in May 2016, EU businesses (including those in the UK) have until 25 May 2018 to be compliant. We aim to be compliant with the key tenets of the Regulation by May 2018 with what is widely regarded to be ‘Privacy by Default’ and it is our intention to be compliant with all aspects shortly after with an organisational mantra of ‘Privacy by Design’.
What are the penalties for non-compliance?
It’s important to understand that the penalties for non-compliance with the provisions of GDPR are substantial. Regulators can impose administrative fines up to an amount that is the greater of €10 million or 2% of annual revenues for non-compliance with “technical measures” (like impact assessments and breach notifications). Those fines increase to the greater of €20 million or 4% of global annual turnover for non-compliance with “key provisions” of the GDPR.
What impact will Brexit have on GDPR?
Brexit has no effect on the need for UK businesses to be compliant with GDPR. The UK Government published the draft Data Protection Bill 2017 in September 2017, and this brings into UK law all of GDPR and alters some key parts on things like the age of minors included. There are no material changes or exclusions from the full EU version and so no time should be lost in starting the journey to GDPR compliance.
What are you doing to achieve compliance?
It is a time consuming and complex project to achieve GDPR compliance. In brief, to protect the personal information of our clients and staff and avoid penalties, we are taking the steps necessary to ensure compliance, including the following key tenets:
Perform a compliance audit: it’s important to understand the legal framework of GDPR and to audit our current IT practices as they relate to that framework. We may, for example, hire a data protection officer (who has both a legal and technology background) to help us understand the new regulations and create a compliance plan to be completed prior to the May 2018 deadline.
Create a data register: if a breach occurs during the early stages of implementation, we will need to demonstrate the steps we’ve taken to achieve compliance. The best way to do that is by maintaining a careful record of those steps in the form of a data register setting out what we collect, how we store, use and share such data and how we protect it and identify risks associated with using the data. Think of this as a GDPR Data Playbook.
Complete privacy impact and data protection impact assessments: this step involves evaluating the way personal data is produced and protected. We are challenging why each piece of data is being collected and whether it’s necessary for our business. We will also assess our current security policies and data protection strategies (for example, are we protecting data through encryptions or tokenisation?) as they relate to the rights of our users and the provisions of the GDPR.
Revise and repeat the process: We can’t assume that our first pass will identify all potential security threats to protect our use of personal information. For that reason, it’s important that we repeat the process to identify and revise anything we missed in the first stage of implementation. This will be a key tenet in our transition from ‘Privacy by Default’ to ‘Privacy by Design’.