Date of publication: November 2019
The GDPR came into force on 25 May 2018 with the intention of harmonising European data protection laws with the demands and challenges of ‘big data’.
This Quick Guide intends to cover some of the major points of the GDPR but we strongly recommend someone in your organisation takes responsibility in overseeing your business’ compliance with GDPR and you consult advisers or solicitors to assist along the way.
The GDPR applies to any business, whether established inside or outside of the EU, which offers goods or services to people in the EU, including employment, or monitors behaviours of anybody located within the EU.
The GDPR will continue to apply in the UK in the event of Brexit, although there will be additional steps that need to be taken in respect of cross-border transfers involving the UK and any EU country.
Personal Data is information that relates to a living individual who can be directly or indirectly identified through this data. This could be a name, address, email, ID number, ethnicity, gender, and IP address to name a few. If it is possible to identify an individual directly or indirectly from a combination of information you are processing, then that information will be Personal Data.
Controller – is the natural or legal person, public authority, agency or other body that determines the means and purposes of processing Personal Data.
Processor – the party responsible for processing Personal Data on behalf of, and on the instruction of, the Controller.
Data Subject – this is the individual whose Personal Data is being processed, e.g. customers, clients, employees, website visitors.
Processing – almost any activity involving Personal Data, including collecting, recording, storing, amending, disclosing or even destroying Personal Data.
Wherever Personal Data is processed, it must be in accordance with the seven protection and accountability principles.
The Controller is responsible for and must be able to demonstrate compliance with all of the data protection principles. This is unofficially known as the seventh principle of accountability.
Personal Data can only be processed if one of the following legal basis is in place:
For most private businesses, there is likely to be consideration of both consent and legitimate interests as the legal basis for processing.
The GDPR recognises various privacy rights for Data Subjects, which aim to give individuals more control over their Personal Data.
These include: the right to be informed; right of access; right to rectification; right to erasure; right to restrict processing; right to data portability; right to object and rights in relation to automated decision making and profiling.
An organisation is required to raise reportable Personal Data breaches or security incidents to the regulator within 72 hours of becoming aware of it.
Systems, procedures and policies should be in place to ensure consistent monitoring and the ability to rapidly report data breaches or security incidents.
Technical measures will vary depending upon the nature of the business, but might include two-factor authentication on accounts where Personal Data is stored and end-to-end encryption when using with contracted cloud providers.
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million, whichever is greater, for the organisations that infringe its requirements.
The UK’s supervisory authority, the ICO (Information Commissioner’s Office) also has at its disposal, a range of investigative, corrective and advisory powers to ensure organisational compliance with the GDPR, including:
Individuals can bring claims for compensation and damages against both controller and processors where there is a breach of the GDPR.
A controller may be liable for damage (including for material damage such as distress)caused by its breach of the GDPR. The same is true for processors where it is a processor at fault for damage caused in breach of its own GDPR obligations.
There is currently no guideline or case precedents about how much compensation an individual can be awarded for a claim under the GDPR. What will be considered is the seriousness of the breach and the impact on data subjects.
Data Protection goes hand in hand with cyber-security, and provides business with risks and opportunities.
Controllers must be able to demonstrate that they, and their supply chain, are GDPR-compliant, and this can be used as a very attractive marketing tool to boost confidence amongst customers and partners alike.
Some preliminary steps to take to assist achieving this include:
Oury Clark works with its clients to review their current levels of compliance, assess vulnerabilities and draw up action plans to meet the legal requirements of the GDPR, as well as assisting clients with their ongoing compliance responsibilities.
It is a legal requirement to have up-to-date GDPR-compliant Privacy Notices in place that apply to services, website access, app usage, employee information and any other area in which Personal Data may be disclosed to, or accessed by, the organisation.
When transferring Personal Data outside of Europe – even where this is intra-group or simply to globally hosted servers as part of a cloud-based solution, then adequate safeguards need to be ensured to the standard of GDPR. Most often this requires specifically worded Data Processing Agreements that we can assist to implement.
Many businesses have already taken great leaps towards GDPR compliance, however we recommend taking a look at our ‘Current GDPR Landscape Quick Guide’ to see some of the things that we suggest businesses consider implementing in order to address the developments and regulatory patterns that have emerged over the past 12 months.
Should you require advice or assistance, then please contact Cacy-Leigh Neilson at CNeilson@ocsolicitors.com or on +44 (0)207 067 4300.
Copyright © 2013 - Oury Clark.