A regular column providing answers to your legal questions
Welcome to the bi-monthly column in which experts from IBB solicitors answer legal questions submitted by you.
Submit your questions to: [email protected]
Q1 I did all the work over a year ago to be compliant with GDPR, has anything changed?
The legislation has not changed, but GDPR compliance is not a one-off activity: you should make sure your business’ data policies and procedures are reviewed regularly. For example, are all your employees adhering to the internal rules you have put in place to keep the business in compliance with GDPR? Is your registration with the Information Commissioner’s Office (ICO) up to date?
It’s worth noting that the ICO will fine any business up to 4% of worldwide turnover or €20m (whichever is the higher) if it is found to be in breach of the regulations. Don’t cut corners or believe your business will be immune or invisible to the ICO. A nominal amount of GDPR housekeeping on a regular basis will ensure you mitigate risk and have peace of mind.
Q2 I have received a number of demands from individuals for us to inform them what personal data we hold about them. Is there anything I can do to prevent them in the future?
The short answer is no. Everyone has a right to make what is called a Subject Access Request – ie the right to ask a business what data they are holding about them, where they got the data from, how long they intend to keep it for and the reason for doing so.
To ease administrative pain, make sure your business has good systems in place so that you can swiftly respond to Subject Access Requests (up to one month to respond following the request). Your business will need to search all computer systems and hard-copy documentation to provide a full and accurate response. It’s worth checking with your lawyer whether you can limit the scope of the request. Your lawyer will be able to advise whether there are any grounds for refusing the request – particularly if, say, the same person keeps making requests or whether there is a legal requirement, eg security of third-party personal data.