Wednesday, April 24, 2019

GDPR - One Year On

We are nearly 12 months on since the introduction of the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA 2018), but according to the Information Commissioner's Office many organisations are still needing to get started on their GDPR journey!

Since GDPR came into force we have seen numerous organisations taken to task by the ICO but most of them have been in relation to pre-GDPR issues and therefore fines have been limited to less than £500,000 (the most the ICO could fine under the old regime).

It is clear from recent published cases and feedback from the ICO that it will not be long before we start to see fines under the new GDPR regime; this could be up to £20m or 4% of global turnover (which could amount to £1.6bn for the likes of Facebook/Google!). 

The ICO has said that it will only use fines as a last resort, however, any regulatory action could lead to reputational damage, so it is key that you and your firm comply with GDPR/DPA 2018/SRA Rules. Ask yourself the question: "Would I be happy to instruct a firm that does not look after clients' personal data?"; I suspect you wouldn't and neither would many of your current/potential clients!       

GDPR/DPA2018 was not a one-off project in May 2018; you will need to continue to review your policies, systems, training, etc., at least annually, to make sure your data protection environment is still fit for purpose.

Author: Brian Rogers