GDPR: A Flash in the Pan or the Calm Before the Storm

The deadline has passed and everything has gone quiet; or has it?

Yes, it may be quieter than some people predicted but let’s not be too complacent. In the three weeks since 25 May, the ICO has been very busy; according to their site they have made 10 advisory and/or audit visits, issued 18 decision notices and issued 3 enforcement notices (fines).

Of course, anybody who thought that swingeing fines would be making headlines by now was probably being a little unrealistic; investigations take a while to be conducted and judgements a while longer to be delivered – so don’t expect too many scary headlines just yet.  But that does not mean that they aren’t on their way; in spite of the ICO statements saying they prefer the carrot to the stick, Regulators tend to like the deterrent that attention-grabbing headlines provide.

What about the companies that are not yet compliant?

If you are one of these then the first thing to acknowledge is that you’re not alone; a recent survey by Apricorn ( in May 2018, noted that only 29% of respondents were confident that they complied with the GDPR. That leaves 71% still to complete – or still to start in some cases -their compliance work.

Whilst you may be able to take a little comfort in the ICO’s previous statement that it will consider favourably those that have started their compliance journey – the clear message is “keep the momentum or start now!” We’ve all been bombarded with GDPR emails about consent and privacy notices for weeks so there is no excuse for claiming ignorance and doing nothing!

You’re under the spotlight

It is very easy for anyone – your clients, prospects, suppliers and the ICO – to get an initial impression of whether your company is making an effort towards GDPR compliance. Firstly, they can check whether you have registered with the ICO – which publishes a register of data controllers that have registered and paid their fee; secondly, they can look at your Privacy Notice on your website, which will give a good indication of your understanding of your GDPR obligations together with details of PII data handling and security.

By the way – the ICO states on its website that non-registration of Data Controllers is a criminal offence and that there are fixed penalties for offenders – so you’d be advised to make sure you take the test on their website to see if you need to register as soon as possible. (Although at the point of writing this, the registration part of their website was not working!)

What will people do with their new data rights?

A recent article quoted a European-wide survey by Veritas, which found that 40% of consumers plan to make a subject access request within 6 months of May 2018. It is clear that consumers want to take back control of their data and intend to exercise their rights under GDPR. What is not clear is how (mostly larger) companies will cope with this deluge of requests for information, given they have just 1 month to respond and cannot levy a fee. And for smaller organisations the implication is clear – have robust SARs policies and procedures in place sooner rather than later.

If you are not yet compliant, here are 5 actions to consider now:

  1. Register with the ICO if you are a Data Controller (and not exempt).
  2. Update your Privacy Policy. Make sure you inform all users how you collect, use and manage their data.
  3. Conduct a data audit so that you have a record of what PII exists, your lawful bases for processing, who you share it with and how long you keep it.
  4. Ensure you have adequate data protection policies in place which demonstrate your commitment to data security. This includes your IT systems which should meet industry standards and be regularly updated.
  5. Document how you will respond to any Subject Access Requests— you may not get many but they can be very time consuming, so have clear procedures in place.

Author: Colin Jupe, VXPartners, June 2018


GDPR – Do You Need To Do Anything?


Remember all the furore over Y2K? Planes would fall from the sky, banks wouldn’t function, our personal computers would stop and so on; but in the end it seemed that many of the risks were exaggerated. So, one might ask “is all the hype over EU General Data Protection Regulation a similar over-the-top reaction?”

In short – NO!  – You need to act now!

Despite the thousands of column inches attributed to the implications of these legislative changes coming in to force on 25 May 2018, it is predicted that over 50% of SMEs and over 30% of large companies will be unprepared for the introduction of some of the most important laws affecting businesses’ sales, marketing and IT activities.

And just to be clear, these are not new guidelines – they are laws; and the maximum penalty for flouting them is Eur20m or 4% of worldwide turnover, whichever is the higher – easily enough to put many SMEs out of business!


Who Does GDPR Affect?

Every company that collects or processes personal data on a EU resident is affected. And the GDPR definition of “personal data” is much wider than the old DPA one, including, for example, monitoring the behaviour of EU residents by tracking their digital activities; effectively, that could include pretty much all companies’ websites and/or apps.  Also included are any data that can be used to identify individuals – personal and company emails, IP addresses or still or video images for example; so, it’s difficult to see which companies won’t be affected.


Sales and Marketing Take Note, It’s Not Just an Issue for IT and Compliance

GDPR is a fundamental change in the way that data collection and use is regulated. Historically we have been used to relatively straightforward laws and low levels of enforcement; GDPR probably has the most onerous personal data laws and penalties in the world.


Of course, that means enhanced compliance procedures and processes – not only are companies forced to apply the new laws, but they must also be able to demonstrate that they are compliant. This in turn has wide implications on IT for example how data are stored, indexed and transferred.


But equally important are the implications for Sales and Marketing, who will need to adopt an entirely customer centric attitude; many will need to completely rethink the ways they collect and use customer and prospect information, paying heed to the new, exacting requirements of consent and privacy.


What About Brexit?

“Won’t everything just get back to the old ways after we leave the EU?” ….NO!

Clearly, for companies wishing to trade in/with the EU, the new laws will be in force (and enforced). For others continuing to trade within Britain (or with non-EU countries), commentators believe cyber security and data privacy is so important that we’ll continue to adopt into UK law post Brexit the principles of GDPR.

Time is Running Out

May 2018 might seem like a long way away – but our advice is don’t delay – GDPR affects all companies that hold any personal data, assess whether you need external help and start planning now.


5 GDPR Steps to Take Now

  1. Know your data – Document what personal data you hold, where it came from and who you share it with.
  2. Consent must be explicit (and freely obtained) – Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
  3. Privacy is key – Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individuals have rights to see manage and port data you hold on them – Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Breaches can be costly – Make sure you have the right procedures in place to detect, report and investigate any personal data breach.

Colin Jupe       August 2017