Kemp Little
  • Looking for someone?
  • Email us
  • Search
MENU MENU
Insights overview

Commercial technology · Data protection & privacy · 28 May 2019 · Anita Bapat · Matthew Gregson

GDPR – A year in review, where are you now?

The 25 May 2019 marked the one-year point since the coming into force of the General Data Protection Regulation (GDPR) and the UK Data Protection… Read more

more content below

The 25 May 2019 marked the one-year point since the coming into force of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. Introduced to implement a set of standardised data protection laws across Europe and to increase individual rights to privacy, the early months of 2018 saw many businesses scrambling to put in place GDPR compliant procedures prior to the implementation date.

Where are you now?

The GDPR anniversary provides a good opportunity for organisations to take note of where they are now, and what changes they might need to make to their compliance programmes in the year ahead.

In the rush to prepare for the implementation of the GDPR many organisations focused mainly on their external facing processing activities, leaving their internal activities for a later date. Others have yet to pass the first hurdle as they continue to complete their initial data mapping exercises and have yet to complete their GDPR contract review.

A year from the implementation date, any notional grace period will now certainly be over. Organisations will be expected to have implemented a basic level of GDPR compliance and should now be reflecting on those policies and procedures to assess continued compliance.

What does continued compliance look like?

  • Registration with the ICO – all organisations that process personal data as a controller must pay a fee of between £40 and £2,900 to the ICO unless they are exempt from doing so. The ICO has now stepped up its enforcement in this area, with 1,936 notices of intent for non-payment and 103 fines for failure to respond issued as of 25 January 2019.
  • Policies, procedures and data processing records – all organisations should ensure they put in place and update their:
  1. Internal and external facing privacy notices;
  2. Data processing records, inventories and data flow documentation;
  3. Procedures for reporting, responding to and recording data breaches and subject access and individual rights requests.

Your policies, procedures and data processing records should be kept up to date to ensure they keep pace with changes in your business. As your business continues to grow you should ensure that this documentation is updated to capture the collection of new categories of data, the processing of that data for additional purposes, and the wider sharing of personal data.

  • Entering into GDPR compliant terms – standard terms and conditions should include the mandatory article 28 terms to be entered into between controllers and processors. To the extent that your existing contract review is ongoing, you should ensure that this project is not put out to pasture, as your technical and organisational measures may be called into question in the event of a future data breach, or disputes with third parties.
  • Protecting international data flows – earlier this year the prospect of a no-deal Brexit saw many organisations scrambling once more to implement standard contractual clauses to protect EU to UK data flows. Whilst there appears to be some reprieve on this front for the time being, organisations should ensure that they are aware of the implications of a withdrawal from the European Union on any international transfers to ensure continued compliance.
  • Review of existing procedures – now that the initial GDPR rush has died down, you should not be afraid to review your existing processes, as you assess where you might have gaps in your processes or areas which are open to improvement.
  • Employee training – to maintain high levels of employee engagement you should assess where your employees might benefit from ongoing training. This is a key theme that has emerged as the ICO has investigated complaints of data protection compliance breaches. Further the ICO’s data breach reporting form includes a section querying whether staff involved in an incident have undergone GDPR training in the last two years. Such training sessions should be tailored to specific needs and issues of your business rather than a re-run of earlier sessions. Incorporating an element of employee testing, GDPR spot checks, and appointing data custodians overseeing your processes can also encourage wider buy in from your business.
  • Share this blog

  • Twitter
  • Facebook
  • Linkedin

Need to talk about this?

Anita BapatAnita Bapat

Matthew GregsonMatthew Gregson

Get in touch

Sign up for our newsletters

  • Share this Blog

  • Twitter
  • Facebook
  • Linkedin

Other stuff you might like


    Notice: Undefined variable: show_default in /home/kemplittle/test.kemplittle.com/wp-content/themes/kemplittle/single.php on line 349
  1. The best way to learn from Thomas Cook and safeguard your agency | TTG media
  2. Coding and law: how coding made me a better paralegal
  3. Podcast | DPO Update: ICO on direct marketing, scientific research opinion, CCTV and fines
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
close
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
Kemp Little

Lawyers
and thought leaders who are passionate about technology

Expand footer

Kemp Little

138 Cheapside
City of London
EC2V 6BJ

020 7600 8080

hello@kemplittle.com

Services

  • Commercial technology
  • Consulting
  • Disputes
  • Intellectual property
  • Employment
  • Immigration

 

  • Sourcing
  • Corporate
  • Data protection & privacy
  • Financial regulation
  • Private equity & venture capital
  • Tax

Sitemap

  • Our people
  • Insights
  • Events
  • About us
  • Contact us
  • Cookies
  • Privacy
  • Terms of use
  • Compliants
  • Debt recovery charges

Follow us

  • Twitter
  • LinkedIn
  • FlightDeck
  • Sign up for our newsletters

Kemp Little LLP is a limited liability partnership registered in England and Wales (registered number OC300242) and is authorised and regulated by the Solicitors Regulation Authority. Its registered office is 138 Cheapside, London EC2V 6BJ. The SRA Standards and Regulations can be accessed by clicking here.

  • Cyber Essentials logo
  • Tech Nation logo
  • LORCA logo
  • ABTA Partner+ logo
  • Make Your Ask logo
  • FT Innovative Lawyers 2019 winners logo
  • Law Society Excellence Awards shortlisted
  • Legal Business Awards = highly commended
  • Home
  • Our people
  • Services
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
  • Insights
  • Quick reads
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • LORCA
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn
close
close
close

Send us a message

Fill in your details and we'll be in touch soon


Notice: Trying to get property of non-object in /home/kemplittle/test.kemplittle.com/wp-content/plugins/contact-form-7-dynamic-text-extension/contact-form-7-dynamic-text-extension.php on line 330

close

Sign up for our newsletter

I would like to receive updates and related news from Kemp Little *

Please select from the areas of interest below.

Themes

Services

Please select below any publications that you would like to receive:

Newsletters

close

Register for future event information

close
close
Looking for someone?
Generic filters
Exact matches only

Can't remember their name? View everyone

  • Home
  • Our people
  • Services
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
  • Insights
  • Quick reads
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • LORCA
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn