GDPR Training and Audits
Need bespoke training for your business?
Allott and Associates can offer a variety of bespoke training options at your premises including breakfast seminars, half day courses or training to cover specific aspects of GDPR, suitable for groups of three or more people, please contact Allott and Associates for more details.
Why do I need GDPR training?
GDPR, which stands for the new General Data Protection Regulation, comes into force in May 2018 and affects virtually all businesses and trade associations large and small including schools, the health service, and the public sector and from 2019 even charities.
Arguably GDPR, which is an EU regulation that the UK is committed to implementing, despite Brexit, is the biggest change affecting businesses since the introduction of the Human Rights Act in 1998.
GDPR affects every aspect of a company or firm from personal records to accounting and marketing. Failure to adhere to the new rules will result in fines of up to €20 million or 4% of turnover, whichever is greatest. Despite a fanfare of publicity many businesses are still not prepared for the changes needed and even some senior business leaders seem oblivious to the new company policies that will need implementing before May 25 2018.
What is the scope of GDPR?
GDPR impacts in twelve different ways and includes the following eight individual rights, some of which are new:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. The right not to be subject to automated decision-making including profiling
These points impact on trading in a number of key areas such as marketing. There must now be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent. In summary, previously recipients could opt-out now recipients must opt-in.
Individuals now have a stronger right to have their data deleted where your business uses consent as the lawful basis for processing data. Businesses will also have to explain their lawful basis for processing personal data in privacy notices and when replying to subject access requests.
The right to erase and effectively be forgotten will require businesses to be able to confidently delete people and not make further contact by any direct means again. For the first time, the GDPR will bring in special protection for children’s personal data. Do you employ people under 18? If so parent or guardian permission may be needed for certain activities.
Businesses now also need to ensure that they have the right procedures in place to detect, report, investigate and if necessary report to the ICO any personal data breaches.
If you think this is challenging, your business will also need to consider whether it should formally designate a Data Protection Officer (DPO) and if your organisation operates in more than one EU member state, you will also need to determine your lead data protection supervisory authority and document it.
If this all sounds very complicated, you should strongly consider seeking external professional guidance from someone like Allott and Associates.
Allott and Associates is already working with businesses, both SMEs and much larger bodies, to help them with GDPR training and audits to make the changes needed to stay lawful. Allott and Associates helps clients identify their new legal obligations through onsite audits and then provides the guidance needed where in-house policies need changing.
The audit takes one day pre-prep, one day onsite and one day preparing the written report with a subsequent followup meeting completed by a GDPR Practitioner. Following implementation of the changes needed, a further mini audit will take place to check that everything has been completed.
Having the peace of mind to know that your business or organisation has made the changes necessary is worth its weight in gold.
GDPR Privacy Notices
As a result of GDPR most existing privacy notices or statements will need redrafting to include more information concerning how data is managed and processed. For the first time companies not just controlling data but also processing data will be treated as jointly and severally liable if there is a breach of personal data. The privacy notice will also need to acknowledge the new rights granted to data subjects and the processes for handling these. Understanding the law and how to apply it is critical to getting it right.
If you need help with drafting your company’s privacy notice please talk to Allott and Associates because the agency has GDPR drafting experience ranging from plcs to SMEs and would be delighted to provide a quotation.
All work is completed in-house by a qualified GDPR practitioner who also has a law degree, so rest assured, you are in safe hands.
For more information and further guidance or a bespoke quotation for all or any of the GDPR services outlined, please call Allott and Associates today on 01423 867264 or 0207 257 2017 or complete the contact form.