Skip to the main content

0344 863 8000
Sign up for our Newsletter
Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon

Advice on turning the GDPR challenge into a business advantage

Advice on turning the GDPR challenge into a business advantage

In this latest blog, Arena's Neil Maude reflects on what he's learned talking to organisations considering their next steps to data compliance and from his recent GDPR speaker engagements.

In recent weeks, Arena has been invited to present at a number of GDPR themed events across the region.  Firstly with VFormation in Nottingham, then with our group company B2 in Chester and most recently with Hays in Leeds.  Each of these events was a “sell-out”, in one case literally standing room only, which reflects the growing interest the General Data Protection Regulation.

Simply put, the GDPR is the biggest change to data protection law for almost 20 years.  When GDPR becomes law on May 25th 2018 it will replace the current Data Protection Act (1999) legislation.  Clearly, how individuals and organisations share and use personal information has changed beyond recognition in comparison with the state of play when DPA1998 was put in place, so the rules are ready for an update.  And whilst GDPR retains much of the requirements already in place, it does add some key new rights and obligations to modernise the legislation.

There has been much talk of the new obligations and especially the potential for fines to put organisations out of business.  The current maximum fines under DPA1998 are £500,000 - but this will increase to 4% of turnover or 20 million euros under GDPR, whichever is the higher figure.  This is significant for any organisation and rightly so.  Part of the intent of the GDPR is to make the cost of non-compliance greater than the cost of compliance, so that organisations do take heed of the new laws.  These higher fines – as well as the reputational risks of data issues – does mean that personal data is going to be high on the agenda for everyone.  Just on that reputational point, it’s our view that there is a significant opportunity related to the GDPR.  Those organisations which take a lead and can show that they are “good data citizens”, giving personal information the level of care that it deserves, are the organisations where individuals will want to place their business.

Because much of the GDPR is an extension to DPA1998, one of the first steps to compliance is to make sure that you are compliant with current legislation.  Audience questions at the various events suggested that this wasn’t necessarily a given thing – which is not that surprising really, as compliance is an on-going process and gaps will appear as organisations grow or evolve over time.

However, the GDPR also introduces some key changes, a few of which seemed to crop up several times and in various forms. 

Firstly, “subject access requests”.  This is already a right under DPA1998, by which someone can ask to see what information an organisation is holding about them.  The change under the GDPR is that an organisation can no longer charge for this process (under DPA1998 there is usually a £10 fee, but the GDPR means that in most cases this will have to be free of charge). Quite a few organisations expressed the view that the removal of fees and – possibly more importantly – the publicity around the GDPR, will result in a higher rate of these requests. 

Depending on the nature of the firm, this might be a significant operational burden and the time-frame for responding will be reduced from 40 days to one month.  There is also a related “right of erasure” or “right to be forgotten”.  This new right allows someone to request that you delete their personal information.  But firms also need to be aware that they may also have legal obligations to retain some of that data and those obligations would trump the GDPR provision.  The challenge then becomes to remain compliant with other regulations (tax, VAT etc) and also be consistent about how right to erasure requests are handled – again, especially if this needs to be done at scale.

A third – and possibly most important – point is around consent to hold and use personal information.  We’re all familiar with the “tick here if you don’t want to be contacted” options on many types of forms that we fill out.  Under the GDPR, this would no longer be sufficient to allow that data to be used.  Instead, consent must be by a positive action (an opt-in), which must be freely given and specific for the purpose for which data will be used.  This means that consent must be sought for a specific activity and the data only used for that activity.  The “freely given” element means that organisations can’t make provision of goods or services dependent on consent to use personal data for another purpose – which is in line with the principle of only collecting just enough data for that service provision.

This makes the process of consent gathering much tighter and organisations will need to take considerable care in this area.  Also, once the GDPR comes into force it will not be allowed to use existing databases, if that data wasn’t collected at the level required by the GDPR.  This could present real problems for organisations in May 2018, especially if the history of some personal data is not known (i.e. if you don’t have a record of how the consent was gathered – another GDPR requirement – and can be sure that it meets the required process standard). Consent is the area where we’ve had the most conversations following the seminar events and it’s good to see positive action being taken by several organisations.

It’s worth noting that if you have some other legal basis for holding some personal data, then this would again trump the GDPR requirement. 

This all sounds scary and somewhat doom-laden, much in line with the headlines about the GDPR.  But there is now a steady stream of practical guidance emerging to help with compliance and for many organisations this may not be such a troublesome process.  The GDPR is a risk-based compliance process and implementations should consider this – the actions you’ll need to take will be proportional to the risk associated with the data you’re holding.  As with anything, starting early and being prepared is the best approach.

A first practical point would be conduct an information audit.  It’s pretty obvious that you can only manage what you know about.  For large organisations this is going to be a major project.  For SMEs maybe less so – but the scope should include all information, paper and digital, on-site and off-site.  This will uncover the data you’re holding and naturally lead into questions as to how it is being collected or used and by whom.  You should also ask if you really need that data or if it is just posing a risk to your business. 

The Information Commissioner’s Office (ICO) has created a very useful “12 steps” guide to compliance with the GDPR and this is also an excellent place to start.  The information audit is one of those steps, followed by specific consideration of key issues – including SARs, right of erasure and consent gathering. 

Just a final point, seminar attendees asked a number of questions around topics which might be deemed “GDPR myths” and are worth mentioning here.

A common question was “I only trade with other businesses not the public – I’m B2B not B2C – so the GDPR doesn’t apply”.  However, all organisations store personal data such as HR records and both past and present employees have data rights under the GDPR.  So whilst B2C firms have a much larger scope of work, all employers need to consider the GDPR.

Closely related to this was “I only have data about people in their business context – name, position, company phone number – so this isn’t personal data, it’s on their website”.  Actually, this is personal data under the scope of the GDPR if you hold it (e.g. in your CRM system), as that is anything which can identify an individual.  In fact the scope of “personal data” is going to be quite broad, even to non-traditional data such as internet browsing history if that can be traced in some way to the individual.  So businesses need to consider how they will continue using this data and the level of consent under which it was gathered. 

The GDPR is EU legislation and part of the driver for the update was to consolidate data protection law across the EU member states.  However, the response to “Brexit means that this EU legislation won’t apply in the UK” is that it definitely will.  The ICO has been clear on this point and May 25th 2018 will come around well before the UK completes Brexit negotiations. And whilst no-one has a crystal ball to say how legislation will be updated post-Brexit, the broadly held view is that it’s unlikely that the UK would water down protection of individual rights when we still want to trade with the EU.  So the GDPR is happening and we can expect it to stay.

Finally there’s something of a misconception that “compliance with the GDPR can wait”.  We don’t think so and would hope that the points above show why it will be far better – more efficient and cost effective – to act early.  The GDPR will affect everyone and those who take the lead will be well placed to make this an opportunity rather than a burden.

You can read more practical advice in Arena’s GDPR insight paper, here.


Expert News | Blog

View all news

© 2018 Arena Group Ltd | Cookies & Privacy | Terms of use | Web design by eskimosoup | Accessibility

The Arena Group comprises: Arena Group Holdings Limited, a company registered in England and Wales (with registered company number 03735943 and VAT number 734562528) and its subsidiary company: Arena Group Limited a company registered in England and Wales (with registered company number 02168309 and VAT number 458238033). The Registered office of all Arena Group companies is Armitage House, Thorpe Lower Lane, Robin Hood, Wakefield, WF3 3BQ. Authorised and regulated by the Financial Conduct Authority for credit-related regulated activities.