GDPR – what is it and what should I do?

23 April, 2018

The EU’s new General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and it will have an impact on virtually any business in the EU.

If you are running a small practice, employing a handful of people, the good news is that you are unlikely to be doing anything with personal data that significantly breaches the new regulations so as to attract the attentions of the regulator. The bad news is that it is very likely that you are not doing many of the things you are supposed to be doing to ensure and then demonstrate your compliance with the rules.

Whether you like it or not, compliance with data laws is now on a par with proper accounting or HR procedures, and either getting yourself up to speed or paying for advice is a cost of doing business. Brexit makes no difference, as the data laws in the UK are going to stay closely aligned with the EU, at least for the foreseeable future.

Personal data includes any information that could identify a living person.  Obviously, this includes a person’s name, email, physical address etc, but also now extends, among other things, to IP addresses which means your use of Google Analytics on your website requires attention.

In order to handle (or “process”) personal data, you need to have a lawful basis for each way that you process the data. Much attention has been given to the issue of consent – which must have been given freely, and specifically for the relevant use case (e.g. sending marketing emails) plus you need a record of this (which might explain all the emails being sent out by businesses right now asking you to “re-consent” to keep in touch).

However, consent is only one valid basis for processing data and there are several others. For most of the people you deal with, you can rely on “contractual obligation” – e.g. the person is your client or supplier and you need to contact them to do business (this includes pre-contractual contact) in some edge cases, you will need to rely on “legal obligation” or “legitimate interest” (e.g. the person has ceased to be your client, but your insurers oblige you to store records for 7 years – this could create a legitimate interest).

For all the personal data you handle, you must audit and document what it is, your grounds for handling it, and review the systems you have in place for keeping it secure.

If you are still at the start of getting to grips with GDPR, don’t panic, but start reading further into the topic – there is a lot of free information on the web and the best place to start is the Information Commissioner’s website.

If you are still really worried, speak to your legal advisers and look out for upcoming seminars such as this one, run by RIBA.

But watch out. GDPR is turning into a gravy train for consultants so make sure that you get your advice from someone who knows what they are doing and has not just set themselves up as a ”GDPR specialist” in the last 6 months.