The General Data Protection Regulation (GDPR) comes into force on May 25th 2018 providing greater protection for the individuals (the natural person) data. For any company dealing with individuals or businesses within the EU and the United Kingdom this means a greater level of data protection must be provided along with more stringent processes and procedures in order to ensure that the data of a natural person is protected.
GDPR Process Documentation
The amount of work required to implement GDPR will depend on how well documented your existing systems are, as well as, how much data you hold. In our experience, the amount of documentation required is several times more than under the Data Protection Act of 1998. In fact there is a requirement to keep registers of software used to capture, store and process data as well as a risk analysis register showing not just the risk of a data breach for the company but also the impact on the individual (the natural person).
Another requirement of GDPR is that you document the cookies that your website uses and explain what those cookies are used for. In our experience, many website designers don’t have a clue as to how to find out what these cookies are and what they are actually being used for. So here’s something you can have from us right not for free; we found a tool that works really simply, your website developer can either use a plugin module or drop a small amount of code into the site and 24 hours later you will be telling all your visitors about your cookies when they arrive at the site. This tool sorts it all and can be set to re-scan the site on a schedule so that if things change (and they will) it updates automatically keeping you compliant as far as cookies go! Check it out here.
Companies also need to document the processes used to respond to data requests from individuals that may include (among other things) copies of data held in a transferable format such as a CSV file, restrictions on data processing and the right to be forgotten.
Ignoring GDPR is not an option
During discussions with the Information Commissioners Office (ICO) we have found that the will top help companies is there but that companies that ignore GDPR will run the risk of being treated harshly following any data breach. The more you do to comply with GDPR the more likely you are to get advice and support in the event of a breach.
The administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.
There are two tiers of administrative fines that can be levied:
- 1) Up to €10 million, or 2% annual global turnover – whichever is higher.
- 2) Up to €20 million, or 4% annual global turnover – whichever is higher.
The fines are based on the specific articles of the Regulation that the organisation has breached. Infringements of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.
How we can help
Before we go any further, please understand that we are not lawyers and what we provide is our layman’s understanding of what’s required, based on a lot of years in the IT and information security industry, analysis of the GDPR itself and a variety of further inputs from discussions, books, webinars, presentations and discussions with the ICO on the subject.
Having said that, we follow a proven process to minimize the amount of data that you hold, provide comprehensive documentation to cover the various aspects of GDPR as they affect your company and the data subjects information that you hold.
We will help you identify and document all of the required GDPR Process Documentation and GDPR Procedures Documentation under the GDPR legislation ensuring that any individual within your organisation should be able to pick up the documentation and perform any required task under GDPR. This will include processes on removing subject data, recording the processing of data, dealing with data requests and also dealing with a data breach should one happen. Additionally we provide support with data collection paperwork, website forms and advice on data storage and the length of time data can be held.
|Organisation Type||Size||Typical Time Frame||Price Range (inc VAT)|
|Charity||<15||4 – 8 weeks||£800 – £1200|
|Sole Trader||<5 Employees||4 – 5 weeks||£600 – £800|
|Sole Trader||6 – 20 Employees||5 – 8 Weeks||£800 – £1200|
|Limited Company||<5 Employees||4 – 6 Weeks||£600 – £1000|
|Limited Company||6 – 20 Employees||5 – 8 Weeks||£1000 – £2000|
|Any||> 20 Employees||Available on request||Available on request|
Need to talk?
For further information please contact us by completing the form below. This information will be used in compliance with the GDPR for the purposes of contacting you with a view to undertaking work in the form of a formal contract.