General Data Protection Regulation (GDPR)
Data protection will change substantially on 25 May 2018. The changes will result in a huge increase in regulatory risk and in turn can result in a severe penalty. It will apply to all UK businesses irrespective of Brexit. This briefing sets out what’s new, what you should be doing, and how we can help.
- The changes contain many additional and more onerous obligations, including detailed record keeping and documentation requirements, and some significant new data protection concepts. In addition, the penalties for getting it wrong are much more severe.
- The concepts are similar to the current data protection laws, but with added detail and accountability.
- Significantly larger fines if you get things wrong – up to 4% annual worldwide turnover or 20 million euros (whichever is greater)
- Requirement to carry out a data protection impact assessment
- Requirement to appoint a data protection officer
- Direct obligations and liability on data processors
- Accountability requirement, increased record keeping obligations
- Mandatory data breach reporting
- Higher standard for consent
- Increased requirements for privacy notices
- Principle of data protection “by design” and “by default”
- Right of consumers to “be forgotten” and to data portability
- Concept of pseudonymous data
- One stop shop for multinationals, with a lead supervisory authority
- Extended territorial scope – non-EU businesses directly subject to the GDPR.
What should you be doing
With the potential for high fines, as well as the fact that good data protection practice helps build trust and can act as a competitive differentiator, businesses need to start work now on becoming compliant with the GDPR.
How can we help?
We provide clear, commercially pragmatic advice on data protection compliance and preparation for the GDPR. We will carry out a comprehensive GDPR readiness assessment, with gap analysis and recommendations to help determine which business processes you will need to review and implement in preparation for the GDPR.
In particular we provide strategic advice on:
- Drafting privacy policies, data retention policies, and incident response plans
- Data processing arrangements, including due diligence on vendors, and drafting data processing agreements
- Data protection and HR, including drafting staff data protection polices, communications monitoring, recruitment and selection
- International data transfers, including implementation of Model Clauses, Privacy Shield and Binding Corporate Rules
- Advising on personal rights, including the right to be forgotten, data portability, subject access requests
- Compliance with e-marketing and cookie regulations
- Carrying out a data protection impact assessment or compliance audit
- Provision of data protection training to staff
- Dealings with the ICO and other regulatory authorities, investigations and proceedings.
- Checking post-implementation changes.
In the event of a data security breach incident we provide rapid legal support to mitigate legal risk including compliance with reporting requirements, communications to data subjects, service providers and other stakeholders, and handling legal claims.
Follow Fox Williams’ UK and EU Data Protection and Privacy law blog at www.idatalaw.com.
If you would like more detailed GDPR guidance do please contact us.