56 | Tees Business
Pictures by Martin Walker
GDPR
– ONE YEAR ON
A timely reminder as
new data protection
laws turn one
By Michael McGeary
T
here may not have been any
cakes and candles from Teesside’s
business community to mark GDPR’s
first birthday, but one expert says the
anniversary is a good opportunity to ensure
policies and procedures are up to date.
The complex EU law – the General Data
Protection Regulation to give it its full
title – heralded a multitude of PowerPoint
presentations and had more than a few
bosses pressing the panic button in the
months before finally coming into force on
May 25, 2018.
Now, one year on, Elaine McLaine-
Wood, managing partner and head of the
commercial department at long-established
Teesside law firm Punch Robson, is advising
everyone to take steps to ensure they are
still meeting its requirements.
Not everyone has switched off, however
– Elaine recently read that more people
search for GDPR on Google than for
Beyonce or Kim Kardashian!
“The conversation may have shifted away
from GDPR and you may think it’s business
as usual, but people need to be aware they
still have to comply,” she says.
“Given that this was by far the biggest
shake-up of data protection regulations to
date, it’s a good idea to take stock, reflect
and look at what’s changed.
“A lot of people panicked and many
organisations weren’t ready because of the
practical requirements and the fact that the
guidance wasn’t very clear, and there have
been a number of challenges, which some
are still working through now.”
Google hit – but these days
there are more web searches for
GDPR than there are for US pop
megastar Beyonce.
Before last May’s changes, the Data
Protection Act 1998 was the key piece of
legislation in this area. GDPR, however,
ushered in a far more radical and stricter
regime.
“One of the key changes was to the right
of individuals to be informed of any personal
information held about them, which is
known as a subject access request. Most
organisations already had experience of this
because anyone could make such a request
under the Data Protection Act.
“But now you only have one month
to respond and you can’t charge for the
information. What’s more, requests can
now be verbal, so someone can just ring
up, whereas previously they had to be put
in writing. You can also ask for your data to
be deleted.”
Elaine says it’s essential for all
organisations to know whether they are a
“data controller” – who determines how
data is processed – or a “data processor”,
who handles data on behalf of the controller
and is subject to far fewer legal obligations.
“As a firm, we process and control data,
and we have to be transparent to our clients
about how long we hold that information
and what we use it for. All organisations
have to do that, even if it’s just someone’s
name and address.
“It’s also important to make sure that
when you deal with another organisation –
for example, if an organisation works with
a third party body – there’s a data-sharing
agreement in place stating very clearly and
specifically the reasons information is held
and how it will be used and that everyone
signs up to this and complies.
“If there are two parties and one controls
the information and the other processes it,
it’s about identifying who does what and
ensuring there’s a contract between them.
It’s not cheap to comply, so it’s important to
make sure who pays for it is covered in the
contract.
“Companies should issue GDPR policies
to their staff so that when they leave, they
know how long their information will be
kept for and what it will be used for. They
should also have privacy policies in place,