- For Business
- Alternative Dispute Resolution
- Banking Services and Secured Lending
- Commercial Contracts
- Commercial Dispute Resolution
- Commercial Property
- Construction Disputes
- Corporate Advice and Transactions
- Debt Recovery
- Employment Law
- Intellectual Property and IT
- Professional Negligence
- Professional Practices
- Property Litigation
- For Individuals
- For Public Sector
Data Protection (GDPR)
Are you ready for The General Data Protection Regulation (GDPR). . . ? If not, please contact us
On 25 May 2018, GDPR will affect every organisation that processes personal data of persons resident within the European Union. The new Regulation is far more extensive in application and scope than the current Data Protection Act 1998 (DPA) which will be swept away on the introduction of GDPR. Both HM Government and the Information Commissioner have confirmed that UK organisations processing personal data will still need to comply with GDPR, regardless of Brexit.
GDPR introduces a number of key changes that UK organisations need to be aware of, ten of which are set out below:
- Definition of personal data – Unlike within the DPA, the GDPR definition is more detailed and brings in other factors which may be used to identify an individual within the defined term
- Consent – GDPR imposes new rules on obtaining consent. Affirmative consent must be obtained in all cases. Parental consent is required in order for organisations to process personal data of children under the age of 16.
- The Data Protection Officer (DPO) – For certain defined organisations, including all public bodies, and for certain defined processing activities, the appointment of a DPO is mandatory. It is a GDPR requirement that the DPO must have “expert knowledge of data protection law and practices”. The function of the DPA may, under GDPR, be outsourced.
- Data Protection Impact Assessments (DPIAs) become a legal requirement. – Organisations must carry our DPIAs when using new technologies and where data processing is likely to result in a high risk to the rights and freedom of individuals.
- Data breach notifications. – Data controllers will be required to report data breaches to the Information Commissioner unless it is unlikely to represent a risk to the rights and freedoms of those data subjects. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified. In certain circumstances the data subjects themselves must be notified.
- The new ‘right to be forgotten’. – GDPR introduces for data subjects ‘the right to be forgotten’ and sets out guidance on when data subjects can exercise such rights.
- New data processor responsibilities – Unlike DPA, data processors now have direct legal obligations and responsibilities and may be held liable for data breaches.
- New rules on data portability – Data portability will allow a data subject to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.
- The introduction of ‘privacy by design’. – The GDPR contains requirements for ‘privacy by design’. Organisations must therefore take into account privacy from product or service concept not just at delivery.
- Tougher penalties for non-compliance – The Regulation provides for considerably tougher penalties than those provided for to the Information Commissioner under current legislation. A two-tier sanction regime is provided for under GDPR. Breaches of some provisions by organisations, which GDPR has deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. For other more minor breaches, the fines on organisations of up to €10m or 2% of global annual turnover, whichever is greater may be imposed.
Get In Touch Today
If you would like a no obligation discussion, please feel free to contact us either by phone on 02920 345511 or emailing us below.