The Data Protection Act 2018, the UK's implementation of the General Data Protection Regulation (GDPR) has recently celebrated its fifth anniversary. However, compliance with this legislation remains a challenge for many SMEs. Set out below are the key steps involved in establishing a compliance programme:

  • Appointing a data protection officer (DPO) (if required or appropriate) or other person with responsibility for managing the compliance programme.
  • Conducting internal data processing mapping and compliance audit throughout the organisation.
  • Identifying the controllers and processors (both within the organisation and outside) relating to different processing activities.
  • Ensuring appropriate lawful grounds exist for each processing activity, which comply with the UK GDPR's data protection principles:
  • Implementing systems to ensure only authorised employees have access to personal data, establishing security arrangements to prevent personal data being compromised and clearly identifying the individuals with the organisation that are responsible for information security.
  • Ensuring that appropriate data security levels exist within the group and appropriate arrangements have been put in place with third party processors.
  • Preparing and providing appropriate privacy regarding the company's processing activities and obtaining consent where necessary.
  • Providing and maintaining a training programme for employees with access to personal data within the company.
  • Carrying out data protection impact assessments on relevant business processes, systems and products to ensure compliance with UK GDPR requirements.
  • Providing a training programme for employees to ensure that all employees understand the need to protect personal data and are familiar with the company's information and security policy.

We can assist with designing your compliance programme, carrying out a data mapping exercise and drafting the required policies and procedures, including:

  • internal and external facing privacy policies;
  • cookie policies;
  • data breach response plans;
  • data retention policies;
  • data protection impact assessments; and
  • data protection compliance records.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.