DATA PROTECTION - 20.09.2017

Must you hire a GDPR specialist?

In May 2018 the Data Protection Act 1998 will be replaced by the General Data Protection Regulation. On the back of this important change, many “GDPR specialists” are touting their services. Must you hire one?

Getting ready

On 25 May 2018 the Data Protection Act 1998 (DPA) will be replaced by the General Data Protection Regulation (GDPR). Whilst the GDPR mirrors many of the principles contained in the DPA, individuals will have increased rights in respect of their personal data, particularly in relation to processing and consent. Compliance with the GDPR is mandatory and, as with the DPA, there is no small business exemption.

Pushing their services

With the GDPR firmly on the horizon, many “specialists” are pushing their services and warning employers about the risks of getting things wrong. Clearly, you’re going to have to be on top of the GDPR when the time comes but must you hire a specialist to help with the preparations? Depending on your business and its available in-house expertise, this may not be necessary. However, if you decide that you need an external specialist to help get on top of the GDPR there are a few things to bear in mind.

A real expert

Firstly, anyone who claims to know everything possible about the GDPR and how it will be enforced at this early stage probably isn’t being entirely accurate. Whilst the ICO has started creating resources for businesses, a number of issues still need to be ironed out. Furthermore, the ICO hasn’t issued comprehensive guidance on the GDPR and it has no plans to do so. It will release official guidance on consent under the GDPR in December 2017 but that guidance won’t cover anything else.

Tip. Draft guidance on consent under the GDPR is available now (see The next step ). The ICO says that “It’s unlikely that the guidance will change significantly in its final form” so this is a good starting point.

Fact from fiction

Another issue to be aware of is that there’s a lot of scaremongering being touted about the GDPR. Indeed, the following misleading statements - all made by supposed specialists - have been brought to the ICO’s attention:

  • “all personal data breaches will have to be reported to the ICO without fail”
  • “if employers don’t report a breach on time, a fine will always be issued”
  • “the GDPR prevents you ringing people to remind them about meetings or appointments”
  • “employers that hold personal data on a cloud server can ignore the GDPR as it’s the service provider who has the duty to comply.”

Note. For the record, these are all myths.

Tip. Before you hire a specialist, our advice is to read the ICO’s overview of the GDPR (see The next step ). It explains the similarities with the DPA and describes some of the new and different requirements. This is a live document and will be developed over time. It also signposts users to further information; this may be all you need to get on top of the GDPR. If, however, you conclude that a specialist is required, be sure to scrutinise their credentials and experience.

For the ICO’s draft guidance on consent under the GDPR and an overview of the GDPR, visit http://tipsanadadvice-personnel.co.uk/download (PS 19.17.03).

There’s no obligation and probably no need to hire a GDPR “specialist”. You can assess your knowledge and level of compliance by working through the ICO’s GDPR overview. If you spot any gaps, it offers further advice on what to do. Should you decide to hire someone be sure to check their credentials and experience.

© Indicator - FL Memo Ltd

Tel.: (01233) 653500 • Fax: (01233) 647100

subscriptions@indicator-flm.co.ukwww.indicator-flm.co.uk

Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ

VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719