Employment

GDPR: has it really been 6 years?

Get in touch
a white lock over the top of computer code

If we asked you to guess how long it had been since GDPR, you’d probably say 3 or 4 years or it was definitely pre-covid. It doesn’t feel like 6 years since we were drafting privacy notices, cookies policies and carrying out data protection impact assessments.

A lot has changed since that time and so it’s time to revisit your ways of working, policies and other documents.

  1. Brexit – do your policies deal with UK GDPR?
  2. Your business – are you using automated processing now?
  3. Have you put in extra measures to address how quickly the cyber landscape is evolving?
  4. AI – have you thought about how this might impact how you use and process personal data?
  5. Staff – do you have employees or consultants working abroad, has your customer base become international?

What does GDPR enforcement look like?

Maximum levels of fines remain as they were (up to 4% of annual global turnover or 20 million euros)  but they are becoming more frequent and higher. Even if there isn’t any loss to the data subject, fines are still being issued and avoiding fines is down to demonstrating compliance.

What do you need to demonstrate?

  • That staff are trained on GDPR – once, 6 years ago, is not going to be enough.
  • That you have procedures in place to minimise the risks of data breaches. This can’t be limited to a policy stored on a shared drive.
  • That you have processes in place to minimise the loss to any data subject once a breach occurs.
  • That you have a process in place to report breaches.

What should you be doing now?

  • Carrying out a new data protection impact assessment to review what you have in place and what steps are needed – we would recommend this is carried out every 1-2 years.
  • Retrain staff on GDPR (and ensure that all new starters receive training).
  • Appoint a data protection officer or other person who will be responsible for data protection issues in the workplace including the person to whom all potential breaches are reported.
  • Make sure that person keeps a log on all potential breaches and has a paper trail to show decision making in relation to whether it is a reportable breach or not.

If you’d like to understand more about your GDPR obligations, please contact our Employment team.

(June 2024)