contact us
+44 (0)118 959 7711

Are you ready for the General Data Protection Regulation?

Download our whitepaper: Getting ready for data's new dawn

Organisations hold vast amounts of personal data relating to customers, employees, and suppliers as well as within marketing databases. Compliance with data protection laws is vital in order to avoid sanctions, loss of revenue and negative publicity.

Download GDPR Factsheet

The General Data Protection Regulation (GDPR) comes into force in May 2018 and represents a significant overhaul of data protection legislation: the accountability principle will mean that businesses will need to examine how they hold and use data and take steps to demonstrate compliance with the data protection principles; implied consent is no longer going to be acceptable, neither will opt outs; the heavily publicised right to be forgotten will become a reality; sanctions for breaches will be significantly higher; and the ICO has also recommended that directors be held personally liable for data breaches.

Our experts can help you navigate the impact of the GDPR – from data mapping, to gap analysis and risk assessment though to helping you consider the practical implications of the change in the law on a business’ processes and procedures.

 

 


Did you know?

GDPR will impact all areas of the business and given the sanctions involved needs to be dealt with at board level. It will be felt particularly by the following teams: HR, Sales & Marketing, IT and procurement. 

Board
  • The principle of accountability makes GDPR a “boardroom issue”
  • Privacy by design and default requires the implementation of appropriate technical and organisational measures and means that data protection needs to be embedded into an organisation’s processes and policies
  • An organisation with more than 250 employees or whose processing activities are a high risk to an individual’s rights and freedoms, must maintain retain records of its processing activities
  • Potential maximum penalties of up to EUR20 million or 4% of global turnover, whichever is the higher
  • Additional penalties could include suspension of data processing, risk of class actions, criminal sanctions, and reputational damage
  • Expanded territorial reach could affect non-EU subsidiaries whose processing activities relate to the offering of goods and services to or, monitoring the behaviour of, EU data subjects
  • Controllers and processors outside the EU who process personal data relating to EU data subjects may have to appoint a representative within the EU
  • Processing agreements (including those for outsourced business functions such as payroll and cloud solutions) need to be revised to include the mandatory processing provisions
  • Processes need to be in place to meet the enhanced data subject rights such as the right to access, the right to rectification, the ‘right to be forgotten’, the right to object and the right to data portability
  • Data breaches must be notified to the supervisory authority (the ICO in the UK) within 72 hours and in some circumstances must be notified to the data subject
  • The ICO is recommending making directors responsible for data breaches
HR
  • A lack of employee awareness and training is one of the biggest threats to data security
  • An organisation will need to appoint a Data Protection Officer (DPO) in certain circumstances. Those with the necessary qualifications to fulfil the role will be in high demand
  • A DPO needs to have expert knowledge of data protection laws and practices and must be independent. The organisation may need to recruit externally or engage via service contract
  • A DPO has protection against dismissal or penalty for carrying out their DPO duties
  • Valid consent unlikely to be achievable in the context of monitoring employees
  • Monitoring of employees is a “high risk” activity which requires a data protection privacy impact assessment to be undertaken
  • Data protection policies need to be updated and monitored closely and clearly communicated to employees
  • Equal opportunities policies also need to be reviewed to explain any changes to the way in which sensitive personal data is stored and retained
  • Information needs to be provided to employees regarding the processing of their personal data and their rights
  • Timescales for responding to data subject access requests shortened to one month rather than the current 40 days
IT
  • Privacy by design and default requires the implementation of appropriate technical and organisational measures to ensure a level of security appropriate to the risk and means that data protection needs to be embedded into an organisation’s processes and policies
  • Measures such as pseudonymisation and encryption of personal data should be considered
  • Adherence to an approved code of conduct or an appropriate certification mechanism can be used to demonstrate GDPR compliance
  • Data protection impact assessments need to be carried out prior to the introduction of new technology that involves ‘high risk’ processing
  • There are restrictions on sub-processing which will affect cloud solutions
  • Data breaches must be notified to the supervisory authority (the ICO in the UK) within 72 hours and in some circumstances must be notified to the data subject
  • Processes need to be in place to deal with the data subject’ s enhanced rights such as the ‘right to be forgotten’ and the right to data portability
  • Where an arrangement involves the processing of personal data (such as an agreement for cloud based payroll software) a written contract must be entered into which details the processing activities and includes specific mandatory provisions
Procurement
  • A controller must ensure that any processor it engages provides sufficient guarantees to implement appropriate technical and organisational measures. Thorough due diligence of a supplier’s security and procedures is essential
  • Where an arrangement involves the processing of personal data (such as an agreement for outsourced payroll) a written contract must be entered into which details the processing activities and includes specific mandatory provisions
  • There are restrictions on sub-processing
  • Processors have direct obligations under the GDPR and can face fines from the supervisory authority (the ICO in the UK)
  • Data subjects can claim compensation from both controllers and processors – likely to be whoever has the deepest pockets
  • A  non-EU processor will be caught by GDPR if its processing activities relate to the offering of goods and services to or,  monitoring the behaviour of, EU data subjects
  • A  non-EU processor may have to appoint a representative within the EU
  • A controller needs to ensure that the processor notifies breaches in sufficient time to enable the controller to fulfil its obligations
Sales and marketing
  • Marketers need to ensure that they have a legal basis for processing
  • Consent is likely to be needed for marketing calls and when cookies and online tracking devices are used
  • Stricter requirements for consent mean that silence and pre-ticked boxes are not sufficient. Clear affirmative action is required
  • Cookies and other online identifiers are personal data
  • Detailed and transparent information needs to be given to data subjects at the point of data capture, including information regarding their rights
  • Records must be kept demonstrating where consent has been given
  • GDPR applies with retrospective effect so legacy databases need to be reviewed to ensure that the consents obtained meet the stricter requirements under GDPR
  • Processes need to be in place to meet the enhanced data subject rights such as the right to access, the right to rectification, the ‘right to be forgotten’, the right to object and the right to data portability
  • Children under the age of 16 cannot consent to the processing of their personal data
  • Privacy policies need to be revised to ensure that they are transparent and that they obtain specific and granular consents for different marketing purposes
  • Beware of buying third party databases
  • Implications of profiling need to be considered and information needs to be provided to data subjects
  • Marketers need to remember  other relevant laws and not contravene these in order to get ready for GDPR (for example the Privacy and Electronic Communication Regulations (PECR))

award winning law firm

Boyes Turner are proud to have received the following awards and recognition.

awards