Data Protection – Is Your Business Compliant?
Data Protection – Is Your Business Compliant?
The Data Protection Act 2018, the UK’s implementation of the General Data Protection Regulation (GDPR) has recently celebrated its fifth anniversary. However, compliance with this legislation remains a challenge for many SMEs. Set out below are the key steps involved in establishing a compliance programme:
- Appointing a data protection officer (DPO) (if required or appropriate) or other person with responsibility for managing the compliance programme.
- Conducting internal data processing mapping and compliance audit throughout the organisation.
- Identifying the controllers and processors (both within the organisation and outside) relating to different processing activities.
- Ensuring appropriate lawful grounds exist for each processing activity, which comply with the UK GDPR’s data protection principles:
- Implementing systems to ensure only authorised employees have access to personal data, establishing security arrangements to prevent personal data being compromised and clearly identifying the individuals with the organisation that are responsible for information security.
- Ensuring that appropriate data security levels exist within the group and appropriate arrangements have been put in place with third party processors.
- Preparing and providing appropriate privacy regarding the company’s processing activities and obtaining consent where necessary.
- Providing and maintaining a training programme for employees with access to personal data within the company.
- Carrying out data protection impact assessments on relevant business processes, systems and products to ensure compliance with UK GDPR requirements.
- Providing a training programme for employees to ensure that all employees understand the need to protect personal data and are familiar with the company’s information and security policy.
We can assist with designing your compliance programme, carrying out a data mapping exercise and drafting the required policies and procedures, including:
- internal and external facing privacy policies;
- cookie policies;
- data breach response plans;
- data retention policies;
- data protection impact assessments; and
- data protection compliance records.
Speak to our Corporate & Commercial Specialists
If you would like us to assist with your compliance programme, please do not hesitate to contact our data protection specialist, Harriet Jones on harriet.jones@ibblaw.co.uk or contact us via the enquiry form at the top of our Corporate and Commercial page.