CLOSE SEARCH
A UK based company, operating in the B2C space, sold goods online and therefore had a vast personal data collection to look after.
After having expanded rapidly from under 10 staff to over 100 within only a few years, the original data protection policies (some of which were off the shelf ones, which may work for a start-up) were showing their age- they didn’t reflect what the business had now become and many had been updated piecemeal.
The obligations in relation to GDPR were complied with by the organisation when those laws first came in in May 2018, but a major review and update was required as many aspects of the organisation had changed enormously since that time.
GDPR is known by all organisations as a base line for data protection compliance. However, it is not, and was never intended as, a one-time compliance exercise. As with any other law, it requires ongoing review to check whether an organisation is up to date and that any element of the business is not breaching the law.
It is also very important that a business does not just have policies and then determines that compliance stops at that point. Outsourced suppliers also need to be audited and regularly asked whether they are complaint- in any investigation, the Information Commissioner’s Office (ICO) will look at supply chains as well as internal processes. Having written contracts with such suppliers is now required under the law.
A new director had joined, creating a new position in the firm, with the remit to oversee the business’s operations, including risk and compliance. He had identified that many new staff had joined who would not know why the policies were there and most importantly, some of the policies and procedures were incorrect.
We can help a business to thrive by conducting a data protection audit. It is important to do so, (and also to diarise to do so regularly in the future) as what may have previously worked may be out of date and the business is likely to have changed.
An audit provides the business with an assessment of whether it is following good data protection practice, will help all staff to understand their obligations under the laws and would look at whether the business has effective controls in place, which would work together with policies and procedures.
In this case, an audit involved (amongst other things):
a review of the privacy policies, which encompassed how supplier and customer data was held and how they were advised of it,
a review of the structure and policies within the organisation and making sure we made specific people responsible for those;
how the company deals with subject access requests;
a review of how the controlling and processing of data was documented, such as third party suppliers, for instance.
how staff data was collected and kept.
The audit resulted in a lot of new information being produced and a new set of policies and procedures were created by us to reflect that.
As a result, we also agreed with the business that we should follow up with a bespoke piece of training for staff. This informed the staff of the law, the new policies and procedures and their roles within it. We left the business in a great position to be able to welcome new staff as well with a webinar that each staff member could log on to as they joined.
The outcome of the audit and the follow up work was that the business was now set up for the present and near future, confident that they had the documents, procedures and processes in place.
This is of great benefit - it will reassure clients, suppliers and regulators that they are a trusted business and, whenever the time comes, a huge amount of value will be added to the business if they ever want to sell it, as they can show they are compliant and have a set and robust organisational structure.
The business needed our expertise and strategic guidance to inform them of the current law in relation to data protection, as they did not have that knowledge in house. It would have taken their staff and the board a long time to ascertain what was required and the steps to take, without impacting other parts of the business (and their day to day work). We were able to take this problem off their to-do list and create value to the company.
The cost benefits of carrying out this exercise for the company were huge - the ICO would be satisfied on any investigation that they had taken the steps to be compliant. The costs of ignoring data protection laws are enormous- the ICO has the ability to impose large fines for non-compliance.
It is also worth carrying out this exercise for commercial reasons - customers, counterparties and funders may want to carry out due diligence on a business to assess how robust it is.
In terms of the long term, the company was now able to operate in a self sufficient manner and satisfied that it was complaint and its staff knew their roles within the data protection laws.
For any further information and how we can help, please contact Phil Parkinson at phil.parkinson@taylor-rose.co.uk.
Get in touch
If you would like to speak with a member of the team you can contact us on:
Partner - Commercial law and Data issues
Phil specialises in assisting SMEs and owner-managed businesses with their non-contentious commercial contracts and data protection needs. He qualified as a Solicitor in 2002.
His expertise includes drafting a range of contractual documents, fro...
