GDPR 12 months on – Lessons Learned

23rd May 2019
Derby Office Icon


The GDPR and the Data Protection Act 2018 have now been in force for 12 months. GDPR day (25th May 2018) was heralded by messages of impending doom and the threat of eyewatering fines for organisations if they did not comply. 12 months on what has the practical impact of GDPR been on organisations? We thought that we would mark the anniversary of GDPR with a look back at the past 12 months and the lessons learned.

Policies and procedures

Lesson learned: Policies and procedures must be up to standard and fit for purpose


The key documents you need to get right are your organisaton’s:

  • Public facing privacy notice

  • Internal staff privacy notice

  • Data inventory or Information Asset Register (i.e. your record of data processing)

  • Data Breach Reporting Procedure and internal data breach record

  • SAR & Individuals’ rights procedure

If these documents, particularly your organisation’s privacy notice, are not to the required standard it can severely impact upon the organisation’s ability to process personal data lawfully and can result in significant vulnerability. 

Changes in processing activities

Lesson learned: Your organisation’s data protection compliance must keep pace with changes in processing activities


Your organisation needs to ensure that data protection compliance at a minimum keeps pace with these developments, and in the best-case scenario predicts or pre-empts changes. Undertaking Data Protection Impact Assessments (where required), updating the record of processing activities and updating any privacy information are all key compliance requirements when it comes to new processing activities.

Staff

Lesson learned: Ensure staff training is refreshed periodically, so that staff awareness of their obligations and those of their employer under data protection legislation is maintained. It is also important to ensure that new joiners receive training as part of their induction process.


The ICO made it clear early on that their expectation was that all staff would require training on data protection and this message hasn’t changed, for example, the ICO specifically asks on the personal data breach notification form whether the staff member(s) involved in the breach have received data protection training in the past 2 years. If the answer to that question is ‘no’ then there are likely to be further enquiries.

The benefits of GDPR compliance

Lesson learned: Embrace GDPR as a way to improve your organisation’s data protection practices and enhance its reputation.


The obligations under the GDPR place a lot more responsibilities on data controllers. The GDPR is, however, ultimately there to help organisations ensure personal data is used in the right way. There is no doubt that compliance with the GDPR takes time and effort, however, once organisations have their policies and procedures in place these should mitigate against the misuse of personal data and help preserve an organisation’s reputation e.g. in the event of a personal data breach.

As always, the Information Law Team at Geldards are here to help with any queries or issues you may have when it comes to data protection. We also have a GDPR tool-kit to help organisations with their obligations, which includes:

  • Template privacy notices

  • A suite of data protection policies, including breach notification & individuals’ rights

  • Staff training packages; and

  • Online training modules (foundation and refresher courses) which staff can do at their desks

For further information contact one of the Information Law Team.

RELATED:INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>


MORE FROM THE ADVICE CENTRE

News

Geldards Private Client teams continue to lead the way for High Net Worth
23/07/2019
Lawyers from the Cardiff and Midlands based Private Client teams at Geldards have once again been named as leading teams and individuals in the Chambers and Partners High Net Worth legal rankings 2019.
more...

Events

Leaving a Legacy
11/04/2018
24th September 2019
We are pleased to announce that our 3rd annual All-Wales Charity Governance, Law and Finance Conference will be held on Tuesday 24th September 2019 at the All Nations Centre, Cardiff.
more...

Blogs

Thoughts from Europe - a MIPIM blog
19/03/2019
I am European, I feel European. Grinding my way around the major assembly that is the world at MIPIM, it’s such a reminder that even Europe is not the centre of most people’s universe.
more...

Publications

Salus – Wealth and Family Protection
02/10/2018
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.
more...

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...

HEAD OF KNOWLEDGE MANAGEMENT

Hayley Lewis

HAYLEY LEWIS

Head of Knowledge Management, Cardiff

+44 (0)29 2039 1785
email
more...

PROFESSIONAL SUPPORT LAWYER

Helen Snow

HELEN SNOW

Professional Support Lawyer, Cardiff

+44 (0)29 2039 1497
email
more...