Compliance Insights Articles

Accountability is not a new concept in data protection, but whereas the principle of accountability was implicit in the Data Protection Act 1998, the General Data Protection Regulation explicitly enshrines accountability as an obligation for controllers, meaning that firms will need to take responsibility and prove that they are compliant. Articles 5 and 24 of the GDPR require that controllers be able to demonstrate compliance; Article 5 specifically defines ‘accountability’

Following the implementation of the General Data Protection Regulation eleven weeks ago, the Information Commissioner’s Office have published a suite of guidance documents for all types of firms, helping to interpret the new rules and guide firms to apply the rules in practice. This is particularly helpful for firms experiencing some confusion about some of the more complex parts of the Regulation. The new guidance provides a helpful run-down of the process of undertaking a D

So, here we are, after years of anticipation the GDPR implementation date has finally passed…and the earth is still here. Despite scaremongering and misinterpretation, businesses have not ceased to function as of 25th May 2018. However, implementing GDPR incorrectly, whether you take an overzealous approach or fail to implement key standards could have a seriously detrimental impact on your firm’s bottom line. This article is focused on those who have taken an over-zealous ap

With the 25th May implementation date for the General Data Protection Regulation looming at the end of this week, our handy guide to making good use of the final few days will help you to ensure compliance before the deadline. Regulatory change can be daunting, and both the sheer number of new rules and the much talked about consequences of getting it wrong can be intimidating. There’s no one ‘right way’ to go about preparing for the GDPR, and whether arrangements have been u

With the implementation of GDPR less than a week away, firms across the country have been preparing for the new regulation. Most of us will have noticed the influx of emails from companies asking us to read updated privacy notices and terms and conditions and to opt-in if we want to keep receiving communications. What is less obvious are the changes that are being made behind the scenes. Most firms should, by now, be aware of whether they need to appoint a Data Protection Off

There have been plenty of articles about the risks and consequences of non-compliance, with most focusing on the maximum penalties, and a few suggesting that some firms believe that the consequences have been over-stated. Whilst we’re pleased to say we’ve not come across anyone in our sector that is not taking compliance seriously, it’s a good idea to consider the differences that the change from the Data Protection Act 1998 to the GDPR will have on sanctions. The count-down

Out with the old and in with the new. The rules relating to Data Protection are about to see the most dramatic change in years, if not ever, with the soon-to-be-implemented EU Directive 2016/679 also known as the ‘General Data Protection Regulation’ (GDPR). With drastic changes on the horizon, Data Processers are inevitably starting to feel the strain as the May 25th deadline looms in the not-so-distant future. Besides the apparent never-ending changes necessary for a firm to

One of the changes to be introduced under the General Data Protection Regulation (GDPR) is the requirement to appoint a data protection officer (DPO) in certain circumstances. Most firms are familiar with the role in general terms, but it’s imperative that firms take steps to ensure they are clear about whether they need to have one, and if they don’t, whether they should elect to have one. If you appoint a formal DPO, they will need to be able to comply with the full range o

One question I have been asked recently is “what should be in our GDPR compliant Data Protection Policy?” In fact, it’s something I have been asked more than a handful of times, so I thought I’d share my thoughts with you. When we think of data protection policy and documentation we tend to automatically consider data security, which is an important part, but it must be remembered that it is not the start and end of it. So, yes, the security protocols you have in place should

2018 promises to be a bumper year for compliance. I can hear what you are thinking, you’ll be muttering, “Isn’t it always?” Seriously, this year promises to be more important than any since 2014 when the FCA took over regulation of consumer credit. We’ll start the year with elements of MiFid coming into force along with the Payment Services Directive. At the same time we’ll be feverishly working on becoming GDPR compliant in order to meet the May implementation date and to av

The incoming General Data Protection Regulation (GDPR) will replace the current Data Protection Act 1998 when it comes into force in May 2018. One of the first things most firms note is the requirement to appoint a Data Protection Officer (DPO). Even if firms don’t currently have a resident DPO, most are familiar with what they assume the role to be – but will this change under the new regulation? The GDPR introduces a statutory obligation for firms carrying out certain types