This site uses cookies to improve your experience. They are safe and secure and never contain sensitive information. For more information click here.

Demystifying GDPR for business – what’s next for compliance?

Helen Iles, Senior Associate and Head of Training at Hugh James Solicitors, addressed the Caerphilly Business Forum’s breakfast meeting on December 5th. Taking place in the Tredomen Business and Technology Centre, in the shadow of Caerphilly’s County Borough Council, Helen broached the subject of GDPR to a rapt audience of the county’s leading business professionals.

BREAKFAST MEETING: Helen Iles on GDPR compliance for business

In the second part of our GDPR masterclass, Helen picked up where she left off in June of this year - continuing from this baseline, Iles preframed what had changed from a legislative perspective, and specifically, how it affected those present.

Introducing the discussion, Helen began with a question – what is GDPR? Whilst many in the room did indeed know in some form, few knew in enough detail to begin implementation. She confirmed the most important point first – that GDPR is a regulation, and not a directive. Translating this for the audience, she stated that, as a regulation, GDPR will come into force at precisely 00:01 on May 25th.

Holding data, Iles continued, is set to become immensely more complicated under GDPR. The justifications for this include consent, contract, legal obligation, vital interests, public interest and legitimate interests. The majority of businesses will naturally gravitate to the legal validation of ‘consent’ – simply due to human nature. The act of giving a business card may be seen by many as consent to be contacted, Iles stated, but under GDPR this will become much more specific.

Continuing, Iles gave the example dropping a business card in a fishbowl to enter a competition. Many understand that this form of competition will also enter your details into a mailing list to be contacted in future – it’s a staple for businesses looking to increase their marketing lists. Under GDPR, however, this information can only be used for the purpose to which is consented – and no other.

Legitimate interest, Iles confirmed, was the best option to shoehorn data under. Consent, she stated, had a particularly high legislative burden and as such should be considered as a last resort. The standard for explicit consent must meet each of the following categories in some way:

·       Freely given

·       Specific

·       Informed

·       unambiguous indication of wishes, statement (explicit consent) or clear affirmative action (non-explicit)

·       Cannot be inferred from silence / inactivity (preticked boxes are invalid)

·       Verifiable – how and when given

·       No need for automatic refreshing exercises

A high legislative burden indeed.

Answering questions from the audience, Iles advised that businesses were not being left in the dark – that the ICO site itself had a number of resources available to businesses to not only ensure their compliance with the regulation, but to report on activities should things go wrong. Highlighting one example in particular, Helen gestured to the information packs handed out. Within, was an ICO document – ‘Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now’.

A new addition under GDPR, Iles explained, was a requirement for Breach Notification. Within 72 hours, businesses must notify the ICO of any breach that puts sensitive personal data at risk. Human error, she explained, was going to be one of the most difficult challenges to face in this regard. Many workers will sit on an error for days at a time – waiting for the right moment to reveal it, or to actually fix the problem themselves. With the 72-hour limit, this creates chaos for businesses. Helen put forward a solution – separating data breach notification from disciplinary processes to speed up the disclosure time, for example.

The tagline for this event was “If you want peace, prepare for war” – there was truly not a more appropriate quote that could have been used. GDPR will pose a significant problem for businesses going forward, and many are quite simply not prepared for its implementation.

Our next event will feature Laura Evans of Unleash Your Potential to the Borough. Join us on January 9th at Coleg Gwent’s Crosskeys Campus for what promises to be an interesting discussion.