While GDPR is an EU regulation, it will most likely remain a part of UK legislation after Brexit. Given its wide-ranging implications for businesses – from how employee records are handled to the marketing data a company may hold on its customers – failure to comply with the new rules may mean hefty fines for companies. These can be the higher figure of €20m (£17.6m) or 4% of global revenue for the most negligent of offenders.

To discuss some of the major compliance goals that companies must meet, and examine some of the practical steps that organisations should be taking in preparation for the May deadline, the bank hosted a recent webinar on the topic.

“GDPR addresses the significant advances made in technology and how information is used,” said Nick Soret, head of consultancy technical development at Mentor, NatWest’s business consultancy service. “Think about remote working, customer profiling, cloud computing and social media – none of these things were really envisaged when the current data protection laws were drawn up in 1998.”

Businesses will need to take control of their personal data. This will mean taking an active approach to the governance of the personal data they process, so that they will be able to demonstrate compliance with the regulation. Soret recommends developing an ongoing programme of compliance and monitoring.

“Just having a policy in place won’t be enough. Compliance will focus on what companies do with their data on a day-to-day basis.”

Key steps

Having been extensively involved in helping organisations prepare for the changes, Soret and his colleague Gilbert Doull, senior employment law consultant, have identified four key steps that companies need to take:

1. Document what personal data you hold, where it came from and who it is shared with by creating a data register

This will mean establishing the name and contact details of the data controller, the purpose of processing data, and a description of the categories of data subjects and of the categories of personal data.

“In simple terms, this details what personal data you have, why you have it and what you do with it,” said Doull. “It will be a living document that the person responsible for data within the business will update when any new category of personal data is undertaken.”

Organisations will be expected to produce their data register on demand to establish their compliance with GDPR.

Just having a policy in place won’t be enough. Compliance will focus on what companies do with their data on a day-to-day basis

Nick Soret
Head of consultancy technical development, Mentor

2. Establish your lawful basis for processing each category of data

Once an organisation has identified the data it processes, it then needs to establish the lawful basis on which it is doing so. “You can’t hold or process data unless you have a lawful basis for doing so,” added Soret.

Gaining consent from an individual to use their personal data is a lawful basis; others include needing to process the data in order to fulfil a contract, or to comply with a legal obligation; or the processing being necessary for your legitimate interests or those of a third party (with some exceptions). There are further lawful bases, but Soret believes these four to be the most relevant to businesses, with consent likely to be the most often used.

“GDPR puts additional obligations on organisations that rely on consent,” added Soret. “These are that they must be transparent in how the data will be used, and that procedures are in place for when consent is used.”

When it comes to the processing of employee data, Soret said, companies can’t rely on consent as a lawful basis because of the imbalance of power between employer and employee.

3. Be transparent and complete the data register

“Doing this exercise will help organisations identify if there are any gaps that need to be addressed, such as needing to adopt security measures,” added Doull. “At this stage, organisations need to consider who in the organisation takes responsibility for preparing and maintaining the register.”

Regardless of whether or not this is a formally hired data protection officer, the person responsible needs to manage the data register, updating records and keeping track of subject access requests and data breaches.

A data register should state:

  • how long data is retained
  • who can access the data
  • who data is shared with
  • how data is destroyed
  • the source of the data
  • how and where the data is stored and accessed
  • the security measures in place to protect the data

4. Develop a privacy notice

“One of the new aspects in GDPR are much improved transparency obligations,” stated Soret. Compliance means providing more comprehensive information to individuals at the point they collect the data. “The next key step is to create a privacy notice.”

This document should include the:

  • identity of the data controller
  • purpose and basis for processing the data
  • categories of data that are collected and their storage period
  • data subjects’ rights under GDPR
  • consequences for the subject of failing to provide the data
  • existence of any automated decision-making or profiling

“This is why you need to have a populated data register prepared in order to create a privacy notice,” said Soret.

How a company interacts with a data subject will likely determine the form of privacy notice. For instance, a recruitment company asking subjects to fill in a skills form would typically present the privacy notice in printed form. Companies asking subjects to fill in an online form would probably use a digital form.

Keeping on top of the housekeeping

Once data has been collected, however, organisations also need to consider how they comply with GDPR in three critical areas: subject access requests, withdrawal of consent and breach reporting. These are areas that need serious consideration, as failure to respond within strict limits may mean an organisation is in breach of the regulations.

While the particular situation of an organisation will require its own nuanced approach to GDPR compliance, taking note of the basics is key. Soret concluded: “If organisations take these steps, they will be well on the way to GDPR compliance in May.”

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top