The data protection developments together with a general increase in awareness of fundamental rights, particularly the right to privacy, have led to legislative changes in the form of the GDPR and the emergence of a new regime of privacy protection.
Businesses are increasingly aggregating employee or customer information and collecting and processing data. In addition, this data is often passed to third party service providers.
While information technology has made the collection, compilation, analysis and delivery of information as easy as the click of a button, many companies fail to understand the legal consequences of engaging in these activities.
The authorities have the power and will impose significant fines on non-compliant businesses.
The new EU General Data Protection Regulation (GDPR) takes effect on 25 May 2018 and introduces a new harmonised data protection compliance regime.
In addition to extensive legal reforms, the GDPR also introduces far more substantial penalties of up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater).
Individuals who suffer damage or distress as a result of breaches of legislation may also be entitled to seek redress through the civil courts.
Organisations must now recognise the significant impact that an adverse ruling can have on its operations. Aside from the business interruption, inconvenience and cost that will result from remedying breaches, a company that is seen to disregard the privacy of its employees, customers and suppliers may suffer considerable reputational damage.
Companies that have either failed to address data protection or, where they have attempted to do so, have adopted a piecemeal approach may well leave them with significant areas of continuing potential liability and numerous administrative problems under the GDPR.
All businesses must design and maintain a compliance programme
The GDPR is considered to impose the strictest regime and, it comes into force on 25 May 2018, it is therefore vital to base a compliance programme on these standards. The key steps involved in establishing an effective compliance programme for a business are as follows:
- Appointing a Data Protection Officer (DPO).
- Conducting an internal data processing and compliance audit throughout the business.
- Identifying the data controller(s) (both intra-group and third party).
- Selecting the registrable particulars in respect of the data controllers or, where applicable, the databases within the business and submitting appropriate registrations, where required. Note the GDPR abolishes the obligation to register with and notify data protection authorities and replaces it with a data controller’s ‘accountability’ obligation to demonstrate compliance with data protection principles, for example through evidence of an effective compliance programme. In other words a business must demonstrate compliance with the GDPR.
- Identifying the data processor(s) (both internally and third party).
- Ensuring appropriate legal grounds exist for each processing activity, for example:
- Sending unsolicited commercial communications; or
- Data transfers to third party processors.
- Implementing systems to ensure only authorised employees have access to personal data.
- Ensuring that appropriate data security levels exist within the business and appropriate arrangements have been put in place with third party processors.
- Preparing and providing appropriate privacy notifications (for example, to employees and customers) regarding the company’s processing activities.
- Providing and maintaining a training programme for employees with access to personal data within the company.
- Maintaining the compliance programme.
For more information on GDPR and how we can help, please contact Kaye Whitby in our Commercial Law team on 0844 391 5830.
You can also find out more about GDPR and how we can help on our ‘How to perpare for the GDPR‘ page.