The GDPR came into force on 25 May 2018 with the intention of harmonising European data protection laws with the demands and challenges of ‘big data’.
Following Brexit, the GDPR will remain in force in the UK and has been implemented into UK law. Further, the EU has formally granted theUK “equivalence” which enables the free movement of data between the EU and the UK to continue.
However, the UK Government is currently undergoing a consultation period which looks to amend the UK implementation of the GDPR. Generally, the suggested changes do not necessarily lessen the protections available under the GDPR but look to provide more flexibility in the processes needed to ensure protection.
This Quick Guide intends to cover some of the major points of the GDPR, but we strongly recommend someone in your organisation takes responsibility in overseeing your business’ compliance with GDPR and UK data protection and you consult advisers or solicitors to assist along the way.
The GDPR applies to any business, whether established inside or outside of the EU, that offers goods or services to people in the EU (including employment) or monitors behaviours of anybody located within the EU.
Similarly, the UK’s retained version of the GDPR, applies to any business, whether established inside or outside of the UK, that offers goods or services to people in the UK (including employment) or monitors behaviours of anybody located within the UK.
Personal Data is information that relates to a living individual who can be directly or indirectly identified through this data. This could be a name, address, email, ID number, ethnicity, gender, and IP address to name a few.
Controller – determines the means and purposes of processing Personal Data.
Processor – processes Personal Data on behalf of, and on the instruction of, the Controller.
Data Subject – this is the living individual whose Personal Data is being processed, e.g. customers, clients, employees, website visitors.
Processing – almost any activity involving Personal Data, including collecting, recording, storing, amending, disclosing or even destroying Personal Data.
Wherever Personal Data is processed, it must be in accordance with the seven protection and accountability principles. The Controller is responsible for and must be able to demonstrate compliance with all of the data protection principles.
Personal Data can only be processed if one of the following legal basis is in place:
For most private businesses, there is likely to be consideration of both performance of a contract and legitimate interests as the legal basis for processing.
The GDPR recognises various privacy rights for Data Subjects, which aim to give individuals more control over their Personal Data including the right to:
Access to data is a key right and one that often causes the most problems for businesses.
An organisation is required to raise reportable Personal Data breaches or security incidents to the regulator within 72 hours of becoming aware of it.
Systems, procedures and policies should be in place to ensure consistent monitoring and the ability to rapidly report data breaches or security incidents.
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million, whichever is greater.
The UK’s supervisory authority, the ICO (Information Commissioner’s Office) also has a range of investigative, corrective and advisory powers to ensure compliance with the GDPR.
Individuals can bring claims for compensation and damages against both controller and processors where there is a breach of the GDPR.
A controller may be liable for damage (including for material damage such as distress) caused by its breach of the GDPR. The same is true for processors where it is a processor at fault for damage caused in breach of its own GDPR obligations.
Controllers must be able to demonstrate that they, and their supply chain, are GDPR-compliant, and this can be used as a very attractive marketing tool to boost confidence amongst customers and partners alike.
Some preliminary steps to take to assist achieving this include:
It is a legal requirement to have up-to-date GDPR-compliant Privacy Notices in place that apply to your services. We can assist in reviewing or drafting an appropriate Privacy Notice for your business.
When transferring Personal Data outside of Europe or the UK, we can assist with drafting an International Transfer Agreement and Standard Contractual Clauses to meet the standard of GDPR.
Our legal team can advise on any compliance, breaches, data subject access requests, ICO investigations and any other data protection concerns you may have.
Copyright © 2013 - Oury Clark.
Oury Clark is authorised and regulated by the Financial Conduct Authority and is entered on the Financial Services Register under reference 100556.