GDPR Compliance & Data Protection Practice - Okapi Solutions

GDPR Services
The General Data Protection Regulation is an EU Regulation which entered into force – and became UK law – on the 25th May 2018 (see the full text of the EU Directive at: https://ec.europa.eu/info/law/law-topic/data-protection_en).

All organisations, either within a member state or outside the EU, that store or process the personal data of an EU citizen (‘data subject’ / ‘natural person’) fall within the scope of this regulation and must be able to identify the lawful basis for the continued processing of personal data.

Notwithstanding ‘Brexit’ the UK has already decided that this regulation will apply and be enforced.  To this end, a new Data Protection Act – the draft Bill is currently before Parliament - will bring the GDPR regulations into UK Law and replace the existing Data Protection Act 1998.  The draft bill is expected to be finalised and become the DataProtection Act 2018 before the end of 2018.

New privacy and enforcement rights have been created for living persons (data subjects).  For organisations that process large amounts of personal data or operate within certain sectors, e.g., the Health, Dental and Education sectors, the new duties are likely to prove especially onerous given that sensitive personal data as well as children’s data are being collected, stored, accessed, transmitted and archived.  Staff and business owners are also becoming used to accessing organisational information via any device, be they laptops, PC’s, tablets, mobile phones, etc., or whether they are personally owned or provided by the business.  The GDPR also requires organisations to be able to identify, collate and secure all the personal data held on their clients, patients, etc., no matter where it may be located.

Additionally, and as a result of the increasing use of ‘cloud-based platforms, applications and services’, many organisations now habitually export personal data outside of the European Economic Area (EEA) as a matter of course.  However, the GDPR requires that such data exports can only be made to approved countries or to those countries where appropriate safeguards and privacy enforcement laws are in place. Organisations therefore need to check where their data is held and whether their supplier currently complies, or has plans to comply with, the law.

The GDPR also requires organisations maintain a plan to detect data breaches, regularly evaluate the effectiveness of their security practices, and document evidence of compliance. If you don’t already have the required security tools and controls in place, your organisation will need to start planning as soon as possible to achieve compliance and mitigate the risk of fines for failure to comply.  A good starting point in the UK is the Information Commissioners Office (ICO) website where regular guidance and blog updates on the impact of the GDPR, including the very useful Data protection self assessment are published.

We assist companies with GDPR-related activities, including: