GDPR - General Data Protection Regulation

The General Data Protection Regulation (GDPR) came into force in the UK on the 25th May and applies to all 'controllers' and 'processors' of 'personal data'.

The GDPR is a substantial and ambitious piece of legislation which aims to overhaul attitudes towards the handling of personal data. The reform will introduce concepts such as the right to be forgotten, data breach notification and accountability as well as requiring a higher standard of consent.

GDPR brings key changes to a number of areas:

  • Enhanced data subject rights - the right to be forgotten, rectification, data portability and the right to object, less time to respond to subject access requests;
  • Data controllers are required to have in place comprehensive and proportionate governance measures relating to data processing and being able to demonstrate compliance with the new rules;
  • Higher standard of consent where data controllers rely on consent for processing;
  • Having written agreements in place when appointing a data processor and direct compliance obligations on data processors;
  • Considering the data protection implications when conducting new processing (data protection by design and default) and conducting privacy impact assessments;
  • Notification of data breaches immediately or within 72 hours in certain circumstances;
  • Appointing a Data Protection Officer in certain circumstances; and
  • Enhanced enforcement powers for non-compliance with maximum fines up to 4% of annual turnover or £17million (whichever is greater).

Organisations should consider a risk-based approach and take steps including:

  • acquaint yourself with the new rules - GDPR is likely to affect different segments of your business such as HR, marketing, IT among others and all departments/teams are required to work together to devise your compliance plan;
  • Conduct an information audit - you could start this by data-mapping to determine what data are you processing, on what basis, where is it being stored, is it being shared and with whom, accuracy, deletion and retention periods;
  • Review the results and consider next steps you need to take - for example if a legal basis for processing is no longer available or does not meet the requisite standard, consider what you can do to achieve compliance;
  • Review existing policies, procedures, privacy notices and contracts - all of these are important to ensure that you achieve GDPR compliance. For example, you may be sharing data with different organisations and may require to document these data flows or your subject access request policy may need to be amended to provide for new rights and new timeframes to respond. Similarly, to ensure transparency you may need to consider the information you include in your privacy notice so that any customer that consents to providing you with their personal data has the required information;
  • Consider appointing a data protection lead - this may be a Data Protection Officer or it could be someone else depending on your particular circumstances. Having a data protection lead could be important to ensure your organisation prepares for the new rules, reports to your organisation's Board and continuously reviews data protection obligations and updates processes to achieve compliance. Similarly, it can improve your organisation's ability to integrate data protection by design and default and conduct privacy impact assessments;
  • Introduce/review data protection training for employees - this will help them and you in complying with GDPR in day to day processes; and
  • Compile a compliance plan - as data controllers are under an obligation to demonstrate their own compliance the results from the preceding steps will assist you to demonstrate the steps you have taken including policies that you have updated or new processes that you have introduced to comply with the GDPR. This can also include a data breach response policy to ensure that in the event of a data breach there are processes in place to enable your organisation to respond.

The Commercial Department can provide support for both private and public sector organisations supporting compliance teams with data protection audits, reviewing documents, policies and procedures and providing training.

For an initial consultation with a Commercial Solicitor at Forbes Solicitors please call us on freephone 0800 689 0831 or contact us by email today.

Get in touch

Get in touch to see how our experts could help you.

0800 689 0831

19 Jul 2018

Commercial

NEWS AND ARTICLES

General Farm Partnerships

A Partnership is an arrangement where two or more interested parties agree to cooperate their assets and…

Read the article

Your quality of work, attention to detail, communication and general all round enthusiasm has been greatly appreciated as I have often become quite overwhelmed when reviewing them myself.

Stephen Gibson
Operations Director
Ecompli (UK) Ltd

More clients

Very thorough and precise with each contract and have made it very easy for us to feel very confident going into new territories, whether it being a different country or a different manufacturer.

Patrick

More clients

Have dealt with several staff at Forbes. Always very clear, professional and approachable. Happy to recommend them and will use again.

Steve

More clients

John brings a high level of expertise which we're sure will benefit our members.

Andrew Hamilton
Training Manager
NWL Chamber of Commerce

More clients

Forbes Solicitors have acted on behalf of WEC Group Limited for many years providing advice on a range of matters including Corporate & Restructuring and Commercial Property.

Wayne Wild
Director
WEC Group Limited

More clients

John provides practical and concise advice and support in a professional and timely manner.

Gavin Birchall
Director
Dose Design

More clients

Thanks John, your services have been impeccable and as such I will have no hesitation to recommend both your services and those of Forbes Solicitors.

Gill Bond
GM Bespoke Events

More clients

Make an enquiry