Data Protection Services
Protecting personal information is something that all companies are required to do by law. This may be your clients’ data, customer data, and includes your employees’ data. You may have heard about the new General Data Protection Regulation (GDPR), and be worrying about whether your organisation complies.
The GDPR is EU legislation that supersedes the UK’s Data Protection Act and is now in force. From 25 May 2018 the GDPR applies to all members of the EU and a two-tier sanctions regime will be enforced whereby breaches of the law could lead to fines of up to €20 million or 4% of global annual turnover, whichever is the greater.
Even post-Brexit, compliance will be vital for any company wanting to do business in the EU. All businesses and not-for-profit organisations that process personal data concerning employees, customers or prospects who are in the EU and/or are EU citizens fall within its scope, wherever in the world the company is based, even if the data is processed outside the EU. In other words, European data protection law will now apply worldwide. Added to this, the UK Data Protection Bill, designed to bring the UK’s data protection laws in line with the GDPR is currently proceeding through Parliament and is likely to come into force before or at the same time as the GDPR. This will mean that even if your organisation does not do business with an EU member country and only processes personal data of UK citizens, the provisions of the GDPR are likely to apply post Brexit.
What does the General Data Protection Regulation (GDPR) mean for your organisation?
Through the GDPR, the EU recognises:
- The right to private life as a universal human right and
- The right to have one’s personal data safeguarded as a distinct, standalone universal human right.
It is by attaching rights to an individual’s data separately from the right attached to an individual that the EU can demand EU-grade data protection standards from businesses operating outside the EU. The onus is on businesses to determine if they are in scope.
The good news is that correct implementation of the GDPR will not only ensure compliance and mitigate the risk of fines but, more importantly, will give compliant businesses a competitive advantage. As the world becomes more digitalised, it is clear that customers are becoming more concerned about the use of and security of their personal data. With many high profile data breaches over the past year (T-Mobile, Yahoo and Equifax, and Uber to name but a few), customers simply will not deal with companies that do not take protection of their data seriously. That’s why Bridgehouse advocates that organisations consider GDPR a central plank of business strategy that has high visibility with the board.
What can Bridgehouse do to assist?
Bridgehouse Company Secretaries provides a number of data protection services to help you with compliance – from creation of a suitable data protection policy, website compliance checks and assistance with handling Subject Access Requests (SARs) through to full data protection audits.
- Data protection audits
Initially we would recommend a data protection audit to find out whether your organisation is complying with its data protection responsibilities. This could take the form of a very light touch desktop review looking at what policies, procedures and training are in place, through to a full data protection audit whereby Bridgehouse’s team of experts carry out a four-stage audit looking at not only data protection (DP) policies, but also associated policies such as IT security, email and telephone usage, disaster recovery, document retention, employment contracts/policies (specifically how they relate to data protection); how data is stored and processed; how data is managed and destroyed as appropriate; training; risk assessments; governance surrounding DP such as Board reporting and committees. Such an audit is tailored to each individual client’s needs and includes an in-depth report on the findings, with prioritised recommendations for action.
- Data protection policies and procedures:
Another early step to compliance is to ensure that the appropriate policies and procedures are in place. Such policies include an over-arching data protection policy, privacy notice for your website, SAR procedures and can even extend to associated policies such as a clean-desk policy and internet, email and telephone usage policy. Bridgehouse can assist with the drafting of individual policies, as well as a full framework of relevant policies and procedures.
- Data Protection Officer
As Company Secretaries, we are ideally-placed to assist UK companies with the latest Information Commissioner’s Office (ICO) guidelines under GDPR, which require most organisations in the UK to appoint a Data Protection Officer (DPO).
Appointing Bridgehouse Company Secretaries to act as your DPO alleviates the data protection burden on your organisation and frees you to focus on your core business, secure in the knowledge your data protection responsibilities are in expert hands. These are just some of the benefits of utilising a Bridgehouse Company Secretary as DPO:
- We are independent and so always act in the best interests of the company
- We have a far-reaching overview of the organisation
- We have access to the board and committees
- We work seamlessly with supervisory authorities and regulators
- We are professionals with knowledge of data protection law.
We allocate a dedicated, named resource who will work quickly and effectively to become an integral part of your in-house team and give you the peace of mind that your organisation is meeting the new GDPR guidelines. We are delighted that one of our consultants has been certified as an EU GDPR Practitioner and is able to provide guidance and assistance to the Bridgehouse team as appropriate.
- Website compliance checks:
Bridgehouse Company Secretaries can undertake a compliance check on your company website to ensure that it meets minimum data protection requirements together with obligations under the e-Commerce Regulations that govern online business throughout Europe. We can also provide help drawing up your website terms and conditions.
- Subject Access Requests (SARs)
Responding to SARs can be a laborious and time-consuming activity, especially where a company has insufficient training and procedures on how to deal with them. As companies have only one month in which to comply before breaking the law, Bridgehouse can assist with the administration of the SAR including reading through extensive amounts of paperwork and emails to identify the data subject and redacting information where necessary.
If you would like expert help to ensure your business is compliant with data protection legislation, please get in touch.