Are you ready
for GDPR?

With the clock ticking until the biggest change to data protection law in 20 years, make sure you protect and enhance the reputation of your business with Acuity DataGuard.


TIME TO ENFORCEMENT DEADLINE:

Why do we need Acuity DataGuard?

Does your business hold or use personal data? On 25 May 2018, the General Data Protection Regulation (GDPR) comes into force. The Information Commissioner's Office calls it “a game-changer for everyone”.

Failure to comply with the new data protection laws puts revenue at risk and could result in significant fines - up to EUR20 million or 4% of annual global turnover, whichever is greater. With such a risk to balance sheets - not to mention reputational damage - can you afford not to identify gaps in the way you handle personal data?

What is Acuity DataGuard?

Start your journey towards GDPR compliance with a comprehensive online audit tailored to the size and structure of your organisation .

Through a series of in-depth questions, it will assess and evaluate the data you collect and how you use it. Based on a compliance rating, it will identify any gaps and highlight corrective actions you can take to make sure you’re GDPR compliant.

Once you’ve undertaken an audit and understand your obligations under GDPR, Acuity DataGuard™ extends to a full-spectrum solution for data security and reputation management. The benefits of this wraparound service - all for a competitive and transparent package rate - include:

  • An annual data protection audit that’s updated whenever there’s an organisational change
  • Contract and policy reviews to ensure legal compliance
  • HR and employment law advice on data protection compliance and breaches
  • Knowhow and real-time access to relevant articles, briefings and legislative updates
  • Training on data protection issues
  • 24/7 support in the event of a data breach
  • Access to complementary services through independent third-party specialists in security monitoring, penetration testing and cyber security accreditations

 

Get in touch to find out more about integrating the essential controls for cyber security against an ever-changing digital landscape by signing up to Acuity DataGuard™.

What happens after a data breach?


If you suffer a data breach, the wraparound version of Acuity DataGuard gives you 24/7 support and advice, not only in the immediate aftermath of any alleged breach but also throughout any subsequent ICO investigation. This includes:

  • Help with notifying the breach to the ICO within the 72-hour deadline and subsequently liaising with the ICO
  • Help with investigations to establish the facts and scope of the breach, including collating and preserving key documents and preparing witness statements
  • Advice on the outcome of investigations and any reporting obligations under the GDPR
  • Advice on potential liability and dealing with any third-party claims
  • Crisis communications and reputation management support
  • Access to data recovery and cybersecurity specialists

Fine Calculator

Non-compliance can lead to potential fines of up to €20 million or 4% of annual worldwide turnover, whichever is bigger.

You can use our GDPR Fine Calculator to work out the maximum your business stands to lose. Just put your annual turnover into the box below, e.g. 10000000


You could incur a 4% fine of:

But your fine could be up to €20 million.

Still not sure if you need help with GDPR?

Take our quick Questionaire.

Question 1

Are you aware that the law around data protection is changing with the upcoming implementation of the GDPR?

Good, despite it being imminent and the biggest change to data protection laws in 20 years, many organisations are not aware of the GDPR. But we are here to help.

The ICO advises that you should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. Implementing the GDPR could have significant resource implications for your organisation. 

Wow. We are glad you stopped by. The General Data Protection Regulation (or GDPR) will be implemented on 25 May 2018. It will replace the Data Protection Act 1988 in the UK and is the biggest change to data protection laws in 20 years. But we are here to help.

The ICO advises that you should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. Implementing the GDPR could have significant resource implications for your organisation. 

Question 2

Does your organisation process personal data?

It is very important that you get to grips with the GDPR.

The ICO recommends that you should document what personal data you hold, the source of that information and who you give it to. Consider carrying out an audit. Having inaccurate data is a big problem under GDPR, but doing something about it will be very difficult without first carrying out an audit. The accountability provisions in the GDPR requires organisations to demonstrate compliance - carrying out an audit is a first step and Acuity can help you with this.

Really? Are you sure about that? The GDPR has a wide definition of processing and the majority of organisations will deal with personal data in one way or another.  Even a person’s name or email address is likely to constitute personal data.

The ICO recommends that you should document what personal data you hold, the source of that information and who you give it to. Consider carrying out an audit. Having inaccurate data is a big problem under GDPR, but doing something about it will be very difficult without first carrying out an audit. The accountability provisions in the GDPR requires organisations to demonstrate compliance - carrying out an audit is a first step and Acuity can help you with this.

Question 3

Are your policies and procedures (including privacy notices) GDPR compliant?

Are you sure? Whilst very good practice under the Data Protection Act 1988 will put you in good stead, there are a number of differences and new aspects to GDPR that you need to consider.

You should review your current policies and procedures and make the necessary changes in time for GDPR implementation. For example, under the GDPR, you need to tell the data subject the legal basis for processing the data, how long you retain their data and that they have a right to complain to the ICO. Do your procedures deal with how you would delete or correct personal data? Do you have a policy for providing data electronically and in a commonly use format?

Your privacy notices need to be concise, clear and easy to understand.

You really need to consider calling in the experts, Acuity are here to help.

You need to think about this now, as time is running out.

You should review your current policies and procedures and make the necessary changes in time for GDPR implementation. For example, under the GDPR, you need to tell the data subject the legal basis for processing the data, how long you retain their data and that they have a right to complain to the ICO. Do your procedures deal with how you would delete or correct personal data? Do you have a policy for providing data electronically and in a commonly use format?

Your privacy notices need to be concise, clear and easy to understand.

You really need to consider calling in the experts, Acuity are here to help.

Question 4

Do you have a valid legal basis for processing personal data?

Are you sure? Organisations relying on consent, for example, will have to consider this very carefully under the GDPR. Consent must be freely given, specific, informed and unambiguous. Consent cannot be inferred from pre-ticked boxes or silence/inactivity.

Under the GDPR, some rights of a data subject will be modified depending on your legal basis for processing their personal data. You need to explain your legal basis for processing personal data in your privacy notice.

If you are relying on consent you need to demonstrate that it was actually given. You need to review the systems, policies and procedures you have in place for recording consent. Again, an audit is highly recommended and Acuity has just the audit tool for you.

You really need to consider this. You need a valid legal basis for processing personal data.

Under the GDPR, some rights of a data subject will be modified depending on your legal basis for processing their personal data. You need to explain your legal basis for processing personal data in your privacy notice.

If you are relying on consent you need to demonstrate that it was actually given. You need to review the systems, policies and procedures you have in place for recording consent. Again, an audit is highly recommended and Acuity has just the audit tool for you.

Question 5

Do you have policies and procedures in place to detect, report and investigate a breach of personal data?

Great. We would strongly recommend that you review these to ensure they are GDPR compliant.

In many cases, you will be required to report the breach to the ICO within 72 hours or you will face hefty fines. In some cases, you will also have to notify the data subject too. 72 hours is not a long time (and includes weekends and bank holidays) so you should make sure you have the right procedures in place and an audit to assess the types of data held and your current procedures is important.

We would strongly recommend that you put such policies and procedures in place.

In many cases, you will be required to report the breach to the ICO within 72 hours or you will face hefty fines. In some cases, you will also have to notify the data subject too. 72 hours is not a long time (and includes weekends and bank holidays) so you should make sure you have the right procedures in place and an audit to assess the types of data held and your current procedures is important.

Question 6

Do you know what the potential fines are for breaches of the GDPR?

Good. Just to remind you, under the GDPR, there are 2 tiers of potential fines depending on the breaches / failures in question:

  • Tier 1 – fines of up of €10m or 2% of global turnover (whichever is the higher); and
  • Tier 2 – fines of up of €20m or 4% of global turnover (whichever is the higher).

The maximum fine under the Data Protection Act 1988 was £500,000 – this is now 'small change' compared to the new potential fines under the GDPR.

Can your organisation afford not to comply with the GDPR?

Are you sat down?

Under the GDPR, there are 2 tiers of potential fines depending on the breaches / failures in question:

  • Tier 1 – fines of up of €10m or 2% of global annual turnover (whichever is the higher); and
  • Tier 2 – fines of up of €20m or 4% of global annual turnover (whichever is the higher).

The maximum fine under the Data Protection Act 1988 was £500,000 – this is now 'small change' compared to the new potential fines under the GDPR.

Can your organisation afford not to comply with the GDPR?

If you have answered NO to one or more of the preceeding questions you need Acuity DataGuard. Call 0845 266 5225 to arrange a consultation or contact anyone of the team below directly.

MEET THE GDPR TEAM