What Is The GDPR? Legal Implications and Legislation

Year Published: 2018

 
 
The data protection developments together with a general increase in awareness of fundamental rights, particularly the right to privacy, have led to legislative changes in the form of the GDPR and the emergence of a new regime of privacy protection.

Businesses are increasingly aggregating employee or customer information and collecting and processing data. In addition, this data is often passed to third party service providers.

While information technology has made the collection, compilation, analysis and delivery of information as easy as the click of a button, many companies fail to understand the legal consequences of engaging in these activities.

Kaye Whitby, Partner & Head of Commercial Law at SAS Daniels Chester

Kaye Whitby, Partner & Head of Commercial Law

The authorities have the power and will impose significant fines on non-compliant businesses.

The new EU General Data Protection Regulation (GDPR) takes effect on 25 May 2018 and introduces a new harmonised data protection compliance regime.

In addition to extensive legal reforms, the GDPR also introduces far more substantial penalties of up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater).

Individuals who suffer damage or distress as a result of breaches of legislation may also be entitled to seek redress through the civil courts.

In addition, a company’s failure to comply with relevant data protection legislation and implement an effective privacy policy can trigger several criminal offences as well as exposing the company and its directors to civil liability.

Organisations must now recognise the significant impact that an adverse ruling can have on its operations. Aside from the business interruption, inconvenience and cost that will result from remedying breaches, a company that is seen to disregard the privacy of its employees, customers and suppliers may suffer considerable reputational damage.

Companies that have either failed to address data protection or, where they have attempted to do so, have adopted a piecemeal approach may well leave them with significant areas of continuing potential liability and numerous administrative problems under the GDPR.

All businesses must design and maintain a compliance programme

The GDPR is considered to impose the strictest regime and, it comes into force on 25 May 2018, it is therefore vital to base a compliance programme on these standards. The key steps involved in establishing an effective compliance programme for a business are as follows:

  • Appointing a Data Protection Officer (DPO).
  • Conducting an internal data processing and compliance audit throughout the business.
  • Identifying the data controller(s) (both intra-group and third party).
  • Selecting the registrable particulars in respect of the data controllers or, where applicable, the databases within the business and submitting appropriate registrations, where required. Note the GDPR abolishes the obligation to register with and notify data protection authorities and replaces it with a data controller’s ‘accountability’ obligation to demonstrate compliance with data protection principles, for example through evidence of an effective compliance programme. In other words a business must demonstrate compliance with the GDPR.
  • Identifying the data processor(s) (both internally and third party).
  • Ensuring appropriate legal grounds exist for each processing activity, for example:
    • Sending unsolicited commercial communications; or
    • Data transfers to third party processors.
  • Implementing systems to ensure only authorised employees have access to personal data.
  • Ensuring that appropriate data security levels exist within the business and appropriate arrangements have been put in place with third party processors.
  • Preparing and providing appropriate privacy notifications (for example, to employees and customers) regarding the company’s processing activities.
  • Providing and maintaining a training programme for employees with access to personal data within the company.
  • Maintaining the compliance programme.

For more information on GDPR and how we can help, please contact Kaye Whitby in our Commercial Law team on 0844 391 5830.

You can also find out more about GDPR and how we can help on our ‘How to perpare for the GDPR‘ page.

Related Tags: , , ,


Your Key Contact:

Share This:


Disclaimer: Our insight & opinion content provides general information and although we endeavor to ensure that the content is accurate and up-to-date, no representation or warranty, express or implied, is made as to its accuracy or completeness and therefore the information should not be relied upon. The content should not be construed as legal or other professional advice and SAS Daniels LLP disclaims liability for any loss, howsoever caused, arising directly or indirectly from reliance on the information on this website. Please seek appropriate legal advice from one of our suitably qualified lawyers if you require assistance.