Happy Data Privacy Day 2020!

Today is Data Privacy Day - an international holiday marked on 28 January each year, which is designed to raise awareness of data protection issues. The landscape of data protection law in the UK has evolved somewhat substantially in recent years. We have seen the introduction of the GDPR and the UK Data Protection Act 2018, which have brought with them:

• Increased financial penalties, in terms of regulatory enforcement for breaches of data protection legislation;
• Increased awareness across the general public of their individual data privacy rights;
• Higher expectations on organisations to handle personal data with care.

The intention is that data protection is no longer a regulatory hoop to jump through or a box-ticking exercise - your business activities should now be designed with data protection in mind, in order to achieve compliance.

Did you know that...?

• You don't always need consent to process personal data. In the words of the Information Commissioner, ‘Consent is one way to comply with the GDPR, but it’s not the only way’.
• Subject access requests (SARs) can be submitted in almost any format (including in writing, by social media - now even verbally!) to anyone in your organisation - are your employees trained to spot a SAR?
• Brexit will not make the GDPR disappear - it’s intended that the GDPR will be written into UK law, and if you share or receive personal data from the EU, there are steps you can take now to prepare for Brexit.
• Data protection compliance is an ongoing process, but there is no ‘grace period’ - the GDPR came into force on 25 May 2018 and is being actively enforced.
• Data Privacy Day is a timely reminder for you to carry out a data protection stock-take, in order to ascertain whether your organisation’s compliance regime is in good shape.
• Refresher GDPR Training is a good place to start - members of staff who handle personal data (such as the personal data of your customers and employees) should receive GDPR training at least annually, and new employees should complete such training as part of the induction process.
• You may also wish to undertake a refresher GDPR Audit, particularly where business functions have changed and departments have evolved. It can be surprising what comes out of the woodwork in terms of new data handling practices and new third party processors, which may not be accounted for in your policy documentation. With this in mind, we also recommend that all policies and procedures are reviewed at least annually and more regularly where your organisation has faced data protection issues, so that you can update your policy documentation to reflect any 'lessons learned’.

Knights advise organisations of all sizes, across all sectors and industries, on all aspects of data protection law. Our areas of expertise include:

·    GDPR Compliance Audits & Training;

·    Website Privacy Policies and Data Retention Policies;

·    Subject Access and Data Breach Policies;

·    Data Processing and Data Sharing Contracts;

·    Outsourced Subject Access Request Response Advice;

·    Data Breach Advice.

Knights plc | Data Protection Team