The deadline for GDPR compliance is just days away, but many businesses remain in the dark when it comes to their obligations.
Those are the findings from Oosha’s GDPR roadshow, which saw us partner with four leading law societies to engage businesses on the challenges of the new data privacy legislation.
Following well-received shows in Birmingham, Nottingham, Sheffield and Newcastle, it’s clear that firms are giving GDPR the serious consideration it needs - but confusion still remains for many.
There is particular concern for small businesses, with many unclear on the exact steps required of firms employing less than 250 people. Organisations of this size are most likely to struggle in committing resources to a GDPR project, while keeping the business running effectively.
Businesses of all sizes, meanwhile, are confused by the ‘lawful basis’ definitions for data processing. Consent is highly impractical in many situations, yet firms are unsure whether ‘legitimate interests’ will hold up as a viable alternative - with many calling for more specific guidance from the Information Commissioner's Office (ICO) and the Solicitors Regulation Authority (SRA).
Dealing with third-party data
Across all our roadshow events, one particular issue arose more than any other. Firms are, it seems, especially unsure of their obligations when it comes to the third-party data they handle.
One specific example given was of a conveyancing law firm receiving personal information about a client from an estate agent. Firms questioned if they would need consent from the data subject in this instance - despite not receiving the data directly from them. This also applies to many other legal practices, such as sending and receiving bundles between local authorities, solicitors and barristers.
Our legal experts put forward two recommendations here. Firstly, that firms could rely on a different lawful basis to consent for this particular type of processing. Either they could argue that the data is necessary for the fulfilment of a contractual obligation, legal obligation, vital interests or they could argue legitimate interest.
For example, it is in the interests of a person buying a house that the solicitor receives their information - and indeed they would expect that data to be transferred.
Secondly, it was argued that the firm should have an agreement in place with each of their data-sharing partners (the estate agent in this example), to guarantee that the data subject is informed at the point of data collection that their information may be passed to a third party without their further consent.
Answering your specific GDPR questions - Our follow-up webinar
For the Newcastle event, we were joined by Sheila Ramshaw and Terri Leigh from local firm Short, Richardson & Forth. They were so well-informed on specific examples - such as the one shared above - during our closing questions and answers session, that we've invited them as guests to our next webinar on 5th June 2018. Click here for more details.