Business

GDPR - General Data Protection Regulation

BUSINESS OBJECTIVES ACHIEVED

The General Data Protection Regulation (GDPR) came into force in the UK on the 25th May 2018 and applies to all 'controllers' and 'processors' of 'personal data'. After Brexit the Data Protection Act 2018 will make "applied GDPR".

The GDPR is a substantial and ambitious piece of legislation, which aims to overhaul attitudes towards the handling of personal data. The reform introduces concepts such as the right to be forgotten, data breach notification and accountability as well as requiring a higher standard of consent.

GDPR brought key changes to a number of areas:

Enhanced data subject rights - the right to be forgotten, rectification, data portability and the right to object, less time to respond to subject access requests;
Data controllers are required to have in place comprehensive and proportionate governance measures relating to data processing and being able to demonstrate compliance with the new rules;
Higher standard of consent where data controllers rely on consent for processing;
Having written agreements in place when appointing a data processor and direct compliance obligations on data processors;
Considering the data protection implications when conducting new processing (data protection by design and default) and conducting privacy impact assessments;
Notification of data breaches immediately or within 72 hours in certain circumstances;
Appointing a Data Protection Officer in certain circumstances; and
Enhanced enforcement powers for non-compliance with maximum fines up to 4% of annual turnover or £17million (whichever is greater).

Organisations should consider a risk-based approach and take steps including:

Acquaint yourself with the new rules - GDPR is likely to affect different segments of your business such as HR, marketing, IT among others and all departments/teams are required to work together to devise your compliance plan;
Conduct an information audit - you could start this by data-mapping to determine what data you are processing, on what basis, where it is stored, is it being shared and with whom, accuracy, deletion and retention periods;
Review the results and consider next steps you need to take - for example if a legal basis for processing is no longer available or does not meet the requisite standard, consider what you can do to achieve compliance;
Review existing policies, procedures, privacy notices and contracts - all of these are important to ensure that you achieve GDPR compliance. For example, you may be sharing data with different organisations and may require to document these data flows or your subject access request policy may need to be amended to provide for new rights and new timeframes to respond. Similarly, to ensure transparency you may need to consider the information you include in your privacy notice so that any customer that consents to providing you with their personal data has the required information;
Consider appointing a data protection lead - this may be a Data Protection Officer or it could be someone else depending on your particular circumstances. Having a data protection lead could be important to ensure your organisation prepares for the new rules, reports to your organisation's Board and continuously reviews data protection obligations and updates processes to achieve compliance. Similarly, it can improve your organisation's ability to integrate data protection by design and default and conduct privacy impact assessments;
Introduce/review data protection training for employees - this will help them and you in complying with GDPR in day to day processes; and
Compile a compliance plan - as data controllers are under an obligation to demonstrate their own compliance the results from the preceding steps will assist you to demonstrate the steps you have taken including policies that you have updated or new processes that you have introduced to comply with the GDPR. This can also include a data breach response policy to ensure that in the event of a data breach there are processes in place to enable your organisation to respond.

The Commercial Department can provide support for both private and public sector organisations supporting compliance teams with data protection audits, reviewing documents, policies and procedures and providing training.

Additional Information

Information Law Services

We can tailor our information law services to suit each client's requirements. As examples we have undertaken:

One-off external compliance reviews
Document and policy reviews
Bespoke staff and Board training
Handling complex information requests (often in the context of disputes or litigation)
Reactive compliance support

Data Protection Officer support services are operated as a retainer with contact time and a document review included, plus incident support.

Contact Us

Get in touch to see how our experts could help you.

Call 0800 689 0831

Call Request a call back

Email Send us an email

Make an Enquiry

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday:
Closed

FAQs

What are the consequences of not complying with the GDPR?

The consequences of failing to comply with the GDPR are serious. Organisations can be fined up to a maximum of 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. In addition, individuals have the right to claim compensation if they suffer distress or loss as a result of a breach of the GDPR.

Do we need a DPO?

The GDPR requires an organisation to appoint a DPO if it is a public authority, carries regular and systematic monitoring of individuals on a large scale or if it processes special categories of personal data on a large scale. However, you can decide to appoint a DPO in order to assist in your organisation's ability to comply with the GDPR even if you are not legally obliged to do so.

What documents do we need to be GDPR compliant?

The GDPR places an emphasis on an organisation's accountability for how it uses personal information. This means that you will need to demonstrate that you are GDPR compliant by ensuring a culture of data protection throughout your organisation. This includes having appropriate measures and records in place to demonstrate your compliance. This may include a data protection policy, data breach policy and procedure, subject access policy and procedure, data retention policy, record of processing activity, privacy notices and contractual arrangements with suppliers to ensure GDPR compliance. More or less documentation may be required depending on the nature of your organisation.

Do we need to keep a record of processing activity?

Most organisations are required to maintain a record of their processing activities, covering areas such as the reasons why they are processing personal data, data sharing and how long information is kept for. If organisations have less than 250 employees, they will be exempt from the requirement to keep a record of processing activity unless their processing activities are risky, frequent or include special categories of personal data. As employers, the information organisations obtain from employees often contains special categories of personal data and therefore it will be rare that an organisation can rely on this exemption. Therefore, most organisations will be required to keep a record of processing activity.

Does every single breach of the GDPR need to be reported?

It is mandatory to report a personal data breach under the GDPR to the Information Commissioners Office (ICO) if it's likely to result in a risk to individual's rights and freedoms. Therefore, if the data breach poses a risk to an individual (e.g. risk of discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage) then the data breach should be reported to the ICO within 72 hours.

Can we carry on using existing consents obtained under the Data Protection Act 1998?

The GDPR does not require organisations to automatically refresh any existing consents. However, the GDPR does make it clear that if you want to rely on consent obtained pre-GDPR (under the Data Protection Act 1998) the consents must meet the GDPR standard (e.g. affirmative, opted-in consent). If the consent does not meet the GDPR higher standard or the consents are poorly documented members will need to seek fresh GDPR compliant consent in order to comply with the GDPR.

Is business to business marketing affected?

The rules on consent and marketing do not apply to 'corporate subscribers' (e.g. companies, LLPs, and government bodies). The GDPR only applies to living individuals and therefore a company does not fall within this definition. However, the definition of 'corporate subscribers' does not include sole traders. Sole traders will have the same protection as individuals under the GDPR. In addition, it should be noted that individuals working for a company are protected under the GDPR. Therefore, if marketing correspondence is being sent to a personal corporate email address (e.g. firstname.lastname@org.co.uk) rather than a generic company email address (e.g. info@org.co.uk), that individual will have data protection rights under the GDPR and have the right to stop any marketing being sent to that type of email address.

How long do consents last?

The GDPR does not set a specific time limit for consent. It will degrade over time and it certainly does not last forever. Organisations will need to keep consents under review and consider refreshing consents at user-friendly intervals.