UK Contractors Urged to Check Client GDPR Compliance
GDPR — the General Data Protection Regulation — came into force on 25th May 2018. Replacing the old and outdated Data Protection Act 1998, the new regulation is designed to give more control to the public over how, why, and when their personal information is used by businesses. We’re now almost 4 months into life under GDPR, and yet the subject of data protection is one that is still very much a hot topic.
The reason we’re all still talking about GDPR is simple: compliance remains remarkably low amongst UK businesses. In fact, statistics from August 2018 suggest that more than one third of companies still aren’t compliant with the new legislation. It’s estimated that 35% are still sending unsolicited emails; 31% are storing data without explicit permission; 27% aren’t securing the data they hold; 22% haven’t implemented simple opt-out processes, and 14% are still making it difficult to access privacy choices.
As a tech contractor, figures like these are somewhat worrying. After all, while your own processes may be compliant, it is vital for your clients to be compliant, too. This is something that will be of particular interest to tech contractors who act in some form of data processing role for their clients. Say you’re working as a business analyst, holding identifiable details not only for the employees of the business, but for shareholders, too. There need to be solid, compliant plans in place for the protection of this data.
Checking Client Compliance
At a time when organisations such as BT and Gloucestershire Police have been fined by the Information Commissioner’s Office (ICO) for lack of compliance (if you’re interested, BT were fined £77,000 for sending unsolicited emails, while Gloucestershire Police were fined for revealing victim details in an email), it is well worth spending a little time ensuring that you’re working for compliant companies.
From a tech contractor perspective especially, it’s also worth making sure that the data that you’re working with is protected to a level that the ICO would be happy with. Is the data adequately encrypted? Can data be accessed as needed? Is the existing level of protection evaluated and reviewed regularly?
Of course, ultimately it is the data controller — the company — that is liable for their own GDPR compliance. However, tech contractors acting as data processors will often have direct responsibilities, too. Amongst these responsibilities is the need to ‘assist the data controller in meeting its GDPR obligations’. Therefore, to ensure complete compliance with this new (and still somewhat confusing) data protection regulation, it is essential for tech contractors to work to ensure their clients have everything in place.