• Contact
  • Accountants: +44 (0) 1753 551111
  • Solicitors: +44 (0) 20 7067 4300

Date of publication: November 2019

The GDPR came into force on 25 May 2018 with the intention of harmonising European data protection laws with the demands and challenges of ‘big data’.

This Quick Guide intends to cover some of the major points of the GDPR but we strongly recommend someone in your organisation takes responsibility in overseeing your business’ compliance with GDPR and you consult advisers or solicitors to assist along the way.

Who does the GDPR apply to?

The GDPR applies to any business, whether established inside or outside of the EU, which offers goods or services to people in the EU, including employment, or monitors behaviours of anybody located within the EU.

The GDPR will continue to apply in the UK in the event of Brexit, although there will be additional steps that need to be taken in respect of cross-border transfers involving the UK and any EU country.

Key Definitions

Personal Data is information that relates to a living individual who can be directly or indirectly identified through this data. This could be a name, address, email, ID number, ethnicity, gender, and IP address to name a few. If it is possible to identify an individual directly or indirectly from a combination of information you are processing, then that information will be Personal Data.

Controller – is the natural or legal person, public authority, agency or other body that determines the means and purposes of processing Personal Data.

Processor – the party responsible for processing Personal Data on behalf of, and on the instruction of, the Controller.

Data Subject – this is the individual whose Personal Data is being processed, e.g. customers, clients, employees, website visitors.

Processing – almost any activity involving Personal Data, including collecting, recording, storing, amending, disclosing or even destroying Personal Data.

Data Protection Principles

Wherever Personal Data is processed, it must be in accordance with the seven protection and accountability principles.

  • Lawfulness, fairness and transparency - Personal Data must be processed lawfully, fairly and in a transparent manner.
  • Purpose limitation – Personal Data must only be collected for a specified, explicit and legitimate purpose communicated to the Data Subject.
  • Data Minimisation – Personal Data must be adequate, relevant and limited to what is absolutely necessary for the purposes specified.
  • Accuracy – Personal Data must be accurate and kept up to date.
  • Storage Limitation – Personal Data can only be stored for as long as necessary for its specified purpose.
  • Integrity and Confidentiality – Personal Data must be processed using appropriate technical and organisational measures to ensure appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage.

The Controller is responsible for and must be able to demonstrate compliance with all of the data protection principles. This is unofficially known as the seventh principle of accountability.

When is Personal Data allowed to be processed?

Personal Data can only be processed if one of the following legal basis is in place:

  • The Data Subject has given specific, unambiguous consent to process their Personal Data.
  • Processing is necessary to perform a contract with the Data Subject.
  • Processing is necessary for compliance with a legal obligation.
  • Processing is necessary to protect the vital interests of the Data Subject or another person (e.g. to save someone’s life).
  • Processing is necessary for the performance of a task carried out in the public interest or to exercise official authority (note this is not often relevant to private businesses).
  • Processing is in the data controller’s legitimate interests except where such interests are overridden by the interest, rights or freedoms of the Data Subject.

For most private businesses, there is likely to be consideration of both consent and legitimate interests as the legal basis for processing.

Data Subject Privacy Rights

The GDPR recognises various privacy rights for Data Subjects, which aim to give individuals more control over their Personal Data.

These include: the right to be informed; right of access; right to rectification; right to erasure; right to restrict processing; right to data portability; right to object and rights in relation to automated decision making and profiling.

Security and Breach Reporting

An organisation is required to raise reportable Personal Data breaches or security incidents to the regulator within 72 hours of becoming aware of it.

Systems, procedures and policies should be in place to ensure consistent monitoring and the ability to rapidly report data breaches or security incidents.

Technical measures will vary depending upon the nature of the business, but might include two-factor authentication on accounts where Personal Data is stored and end-to-end encryption when using with contracted cloud providers.

Penalties, Enforcement Action and Claims

The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million, whichever is greater, for the organisations that infringe its requirements.

The UK’s supervisory authority, the ICO (Information Commissioner’s Office) also has at its disposal, a range of investigative, corrective and advisory powers to ensure organisational compliance with the GDPR, including:

  • Issuing warnings and reprimands;
  • Ordering compliance with a subject access request (SAR);
  • Imposing a temporary or permanent ban on data processing;
  • Ordering the rectification, restriction or erasure of data; and
  • Suspending data transfers to third countries.

Compensation

Individuals can bring claims for compensation and damages against both controller and processors where there is a breach of the GDPR.

A controller may be liable for damage (including for material damage such as distress)caused by its breach of the GDPR. The same is true for processors where it is a processor at fault for damage caused in breach of its own GDPR obligations.

There is currently no guideline or case precedents about how much compensation an individual can be awarded for a claim under the GDPR. What will be considered is the seriousness of the breach and the impact on data subjects.  

What should businesses be doing?

Data Protection goes hand in hand with cyber-security, and provides business with risks and opportunities.

Controllers must be able to demonstrate that they, and their supply chain, are GDPR-compliant, and this can be used as a very attractive marketing tool to boost confidence amongst customers and partners alike.

Some preliminary steps to take to assist achieving this include:

  • Designating data protection responsibilities to a specific individual or team.
  • Identifying what Personal Data the business processes. Understanding where it comes from, where it goes, where it resides, what value the data has and who is responsible for it.
  • Creating a security strategy and implementing policies that enable the business to protect data (including personal data), secure access to it and have the means to erase it.
  • Implementing data processing agreements with all contracting counterparties.

How we can help

Oury Clark works with its clients to review their current levels of compliance, assess vulnerabilities and draw up action plans to meet the legal requirements of the GDPR, as well as assisting clients with their ongoing compliance responsibilities.

It is a legal requirement to have up-to-date GDPR-compliant Privacy Notices in place that apply to services, website access, app usage, employee information and any other area in which Personal Data may be disclosed to, or accessed by, the organisation.

When transferring Personal Data outside of Europe – even where this is intra-group or simply to globally hosted servers as part of a cloud-based solution, then adequate safeguards need to be ensured to the standard of GDPR. Most often this requires specifically worded Data Processing Agreements that we can assist to implement.

Many businesses have already taken great leaps towards GDPR compliance, however we recommend taking a look at our ‘Current GDPR Landscape Quick Guide’ to see some of the things that we suggest businesses consider implementing in order to address the developments and regulatory patterns that have emerged over the past 12 months.

Should you require advice or assistance, then please contact Cacy-Leigh Neilson at CNeilson@ocsolicitors.com or on +44 (0)207 067 4300.

  • Member of London Partners
  • Member of London of Chamber Commerce and Industry
  • The Royal South Bucks Agricultural Association
  • The Association for UK Interactive Entertainment
  • Offical Xero Partner

Copyright © 2013 - Oury Clark.