Year two of the GDPR marks the end of basic compliance

Posted Jul 1, 2019

In the Scotland on Sunday (16 June 2019) Nimarta Cheema highlights that too many Scottish SMEs “Don’t know what might hit them” from GDPR now we are at the end of the informal education phase.

Following the first anniversary of the legislation coming into force, the Information Commissioner’s Office (ICO) will be implementing more stringent enforcement and there are several examples of common breaches of the GDPR which could lead to significant fines if left unchecked. They include:

  • Being unable to recognise a Subject Access Request (SAR) and treating it as an inappropriate request for information, or mishandling the SAR and failing to respond within the legally stipulated time;
  • Not taking seriously the obligation to register with the ICO, or mistakenly expecting to fall within an exemption or to ‘get out of’ a fine due to lack of awareness;
  • Using data gathered for one legitimate purpose for a different purpose, without checking or understanding whether an appropriate legal basis exists for that use;
  • Not knowing they have to document their processing activities and map out how they deal with data; and
  • Engaging data processors or sharing data without appropriate written contracts.

Commenting, Nimarta Cheema, a corporate lawyer and data protection specialist at Lindsays, said:

“It is completely understandable that SMEs, which will often not have data protection specialists on the staff, either don’t understand or would rather not deal with GDPR issues.

“However, this is not going to end well. The GDPR is here, and the light-touch phase where the ICO will allow some leeway is now over. Scottish businesses must meet this issue head on to save themselves time, hassle and, most pertinently, money.

“Much of this comes down to staff training, with either no training having been performed or a single member of staff receiving data protection training but failing to trickle it down internally.

“It’s time to take the GDPR seriously. Scottish SMEs need to take pre-emptive action; they don’t know what might hit them.”