Data Protection Change is here…
On the 25th May 2018 the old Data Protection Act of 1998 (DPA) was superseded by the new EU General Data Protection Regulations, the change is long overdue and brings data controls more in line with the modern world as we know it, a lot has changed in 20 years, the amount of data we process and the types of data we process requires new controls to show we care about the data we hold.
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR and have released the Data Protection Act 2018 which closely aligns the UK with the GDPR.
It doesn’t affect me!
We would suggest otherwise, like the old DPA, the GDPR and DPA 2018 applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and includes chronologically ordered sets of manual records containing personal data.
Managing Compliance
We have partnered with QG Standards to bring you a management standard that will help you become GDPR Compliant and to evidence that you have taken all action to be compliant, not only that but becoming certified will demonstrate to your customers, supplies and staff that you take your responsibility for data security seriously.
This standard applies to all organisations who are ‘controllers’ and/or ‘processors’. The definitions are broadly the same as under the Data Protection Act – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the Data Protection Act, it is likely that you will also be subject to the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
Pricing Options
GDPR Basic
Uncertified Compliance (Ideal for small businesses)- Basic Guidance of GDPR Requirements for Data Processing
- Example Policy Templates to adopt if required
- Advice you can pass to your IT provider to help with storage compliance
- Guidance implementing a 17 point GDPR Management System
- 2 Days GDPR Practitioner Consulting included
- Additional consultancy days at reduced rate
- Ongoing GDPR Practitioner Support
- Certificate of Compliance
- Compliance Updates
- Employee Training early access
- External Compliance Audit (additional charges apply)
GDPR Fundamentals
GDPR Management System- Comply with GDPR Requirements of Data Processing
- Example Policy Templates to adopt if required
- Advice you can pass to your IT provider to help with storage compliance
- Guidance implementing a 17 point GDPR Management System
- 2 Days GDPR Practitioner Consulting included
- Additional consultancy days at reduced rate
- Ongoing GDPR Practitioner Support
- Certificate of Compliance
- Compliance Updates
- Employee Training early access
- External Compliance Audit (additional charges apply)
GDPR Fundamentals Plus
GDPR Management System with Audited Certification- Comply with GDPR Requirements of Data Processing
- Example Policy Templates to adopt if required
- Advice you can pass to your IT provider to help with storage compliance
- Guidance implementing a 17 point GDPR Management System
- 2 Days GDPR Practitioner Consulting included
- Additional consultancy days at reduced rate
- Ongoing GDPR Practitioner Support
- Certificate of Compliance
- Compliance Updates
- Employee Training early access
- External Compliance Audit (additional charges apply)
Data Protection Officer
If Special Category data is being processed then it is required that you appoint a Data Protection officer, in smaller businesses this is not easy as the GDPR/DPA clearly states that the Data Protection Officer cannot have a conflict of interest and this may be difficult for your business,
The solution for this is to appoint a Virtual Data Protection Officer, this is someone from outside of your business that has the appropriate knowledge of data protection who can act on your behlaf.
With our vast knowledge on this subject we are abe to be appointed to act on your behalf, please contact us for more information.
Special Category Information includes the following:
race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.
a question you’d like answered or would just
like an informal chat, contact us.