When GDPR takes effect this May data governance will be at the forefront and you will need to have a strong program of policies, standards and controls in place to ensure compliance. Matthew Clayton of Willans gives his legal insights.
A considerable amount has been written on GDPR but in our opinion one of the most useful documents to date is the ICO’s ‘Preparing for the General Protection Regulation – 12 steps to take now’. However, even this can leave you asking what you need to do to be compliant. Here are some of our legal insights:
You don’t always need to have consent in order to process data (ie hold or use). There are other legal justifications for doing so. Processing is justified (amongst other things) if:
- It’s necessary to deliver a contract eg if they’re a customer and you need that data to provide goods or services to them.
- It’s in your legitimate business interests, provided that it doesn’t outweigh their privacy rights. This can be more difficult to judge, and would probably not extend to marketing to non-customers.
You’ll need to provide new privacy notices with more information about the legal basis for processing their data: what data may be processed and for what purpose, how long it will be stored and their legal rights. Current privacy notices won’t be adequate.
Data security breaches
You’ll be legally required to report data security breaches to the authorities, where feasible within 72 hours of becoming aware and where it is likely to result in a risk to “the rights and freedoms of individuals”. This can be difficult to assess.
Any contracts you have with a ‘data processor’, such as a payroll bureau or marketing agency, will need to be reviewed, as GDPR requires you to include certain contractual terms guaranteeing data privacy.
Contact Matthew Clayton at Willans on 01242 514000, or your preferred solicitor, to help ensure you have strong governance controls to ensure compliance.
Willans’ multi-disciplinary legal teams spend all day, every day helping companies large and small with complex business decisions.