Data Protection Services
Protecting personal information is something that all companies are required to do by law. This may be your clients’ data, customer data, and includes your employees’ data.
The General Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 are now in force and you may be worrying about whether your organisation complies.
The GDPR is EU legislation and applies to all member states of the EU. Even post-Brexit, the Data Protection Act 2018 ensures that GDPR will remain in force within the UK and will be vital for any company wanting to do business in the EU. A two-tier sanctions regime is enforced whereby breaches of the law could lead to fines of up to €20 million or 4% of global annual turnover, whichever is the greater.
All businesses and not-for-profit organisations that process personal data concerning employees, customers or prospects who are in the EU and/or are EU citizens fall within its scope, wherever in the world the company is based, even if the data is processed outside the EU. In other words, European data protection law now applies worldwide.
What does GDPR mean for your organisation?
Through the GDPR, the EU recognises:
- The right to private life as a universal human right and
- The right to have one’s personal data safeguarded as a distinct, standalone universal human right.
It is by attaching rights to an individual’s data separately from the right attached to an individual that the EU can demand EU-grade data protection standards from businesses operating outside the EU. The onus is on businesses to determine if they are in scope.
The good news is that correct implementation of the GDPR will not only ensure compliance and mitigate the risk of fines but, more importantly, will give compliant businesses a competitive advantage.
As the world becomes more digitalised, it is clear that customers are becoming more concerned about the use of and security of their personal data. With many high profile data breaches over the past year (T-Mobile, Yahoo and Equifax, and Uber to name but a few), customers simply will not deal with companies that do not take protection of their data seriously. That’s why Bridgehouse advocates that organisations consider GDPR a central plank of business strategy that has high visibility with the board.
What can Bridgehouse do to assist?
Bridgehouse Company Secretaries provides a number of data protection services to help you with compliance – from creation of a suitable data protection policy, website compliance checks and assistance with handling Subject Access Requests (SARs) through to full data protection audits.
Data protection audits
Initially we would recommend a data protection audit to find out whether your organisation is complying with its data protection responsibilities.
This could take the form of a very light touch desktop review looking at what policies, procedures and training are in place, through to a full data protection audit whereby Bridgehouse’s team of experts carry out a four-stage audit looking at not only data protection (DP) policies, but also associated policies such as IT security, email and telephone usage, disaster recovery, document retention, employment contracts/policies (specifically how they relate to data protection); how data is stored and processed; how data is managed and destroyed as appropriate; training; risk assessments; governance surrounding DP such as Board reporting and committees.
Such an audit is tailored to each individual client’s needs and includes an in-depth report on the findings, with prioritised recommendations for action.
Data protection policies and procedures
Another early step to compliance is to ensure that the appropriate policies and procedures are in place. Such policies include an over-arching data protection policy, privacy notice for your website, SAR procedures and can even extend to associated policies such as a clean-desk policy and internet, email and telephone usage policy.
Bridgehouse can assist with the drafting of individual policies, as well as a full framework of relevant policies and procedures.
Website compliance checks
Bridgehouse Company Secretaries can undertake a compliance check on your company website to ensure that it meets minimum data protection requirements together with obligations under the e-Commerce Regulations that govern online business throughout Europe. We can also provide help drawing up your website terms and conditions.
Subject Access Requests (SARs)
Responding to SARs can be a laborious and time-consuming activity, especially where a company has insufficient training and procedures on how to deal with them.
As companies have only one month in which to comply before breaking the law, Bridgehouse can assist with the administration of the SAR including reading through extensive amounts of paperwork and emails to identify the data subject and redacting information where necessary.
If you would like expert help to ensure your business is compliant with data protection legislation, please get in touch.