All you need to know about the General Data Protection Regulation (GDPR) (2016/679)

Download our whitepaper: Getting ready for data's new dawn

Organisations hold vast amounts of personal data relating to customers, employees, and suppliers as well as within marketing databases. Compliance with data protection laws is vital in order to avoid sanctions, loss of revenue and negative publicity.

Download GDPR factsheet

The General Data Protection Regulation (GDPR) came into force in May 2018 and represents a significant overhaul of data protection legislation: the accountability principle means that businesses will need to examine and regularly review how they hold and use data and take steps to demonstrate compliance with the data protection principles.

Our experts can help you navigate the impact of the GDPR – from data mapping, to gap analysis and risk assessment and security as well as making sure your commercial contracts appropriately deal with your data use.

 

 


Did you know?

GDPR impacts upon all areas of the business and, given the sanctions involved, needs to be dealt with at board level. It particularly affects the following teams: HR, Sales & Marketing, IT and procurement. 

Board
  • The principle of accountability makes GDPR a “boardroom issue”
  • Privacy by design and default requires the implementation of appropriate technical and organisational measures usually embedded into the relevant software the organisation’s processes and policies need to deal with data protection
  • An organisation with more than 250 employees or whose processing activities are a high risk to an individual’s rights and freedoms, must maintain retain records of its processing activities
  • Potential maximum penalties of up to EUR20 million or 4% of global turnover, whichever is the higher
  • Additional penalties could include suspension of data processing, risk of class actions, criminal sanctions, and reputational damage
  • Expanded territorial reach affects non-EU subsidiaries whose processing activities relate to the offering of goods and services to or, monitoring the behaviour of, EU data subjects
  • Controllers and processors outside the EU who process personal data relating to EU data subjects may have to appoint a representative within the EU
  • Processes need to be in place to meet the enhanced data subject rights such as the right to access, the right to rectification, the ‘right to be forgotten’, the right to object and the right to data portability
  • Data breaches must be notified to the supervisory authority (the ICO in the UK) within 72 hours and in some circumstances must be notified to the data subject
HR
  • A lack of employee awareness and training is one of the biggest threats to data security
  • An organisation will need to appoint a Data Protection Officer (DPO) in certain circumstances. Those with the necessary qualifications to fulfil the role will be in high demand
  • A DPO needs to have expert knowledge of data protection laws and practices and must be independent. 
  • A DPO has protection against dismissal or penalty for carrying out their DPO duties
  • Monitoring of employees is a “high risk” activity which requires a data protection privacy impact assessment to be undertaken
  • Data Protection Impact Assessments can be a useful tool. 
  • Data protection policies need to be updated and monitored closely and clearly communicated to employees (including possible review  of Equal opportunities policies relating to how sensitive personal data is stored and retained)
  • Information must be provided to employees regarding the processing of their personal data and their rights
  • Timescales for responding to data subject access requests is one month
IT
  • Privacy by design and default requires the implementation of appropriate technical and organisational measures (usually embedded in software or IT solutions) to ensure a level of security appropriate to the risk and regular testing
  • Obligation to continually maintain data security
  • Measures such as pseudonymisation and encryption of personal data should be considered
  • Adherence to an approved code of conduct or an appropriate certification mechanism can be used to demonstrate GDPR compliance
  • Data protection impact assessments need to be carried out prior to the introduction of new technology that involves ‘high risk’ processing
  • There are restrictions on sub-processing which need to be catered for
  • Data breaches must be notified to the supervisory authority (the ICO in the UK) within 72 hours and in some circumstances must be notified to the data subject
  • Processes need to be in place to deal with the data subject’ s enhanced rights such as the ‘right to be forgotten’ and the right to data portability
  • Where an arrangement involves the processing of personal data (such as an agreement for cloud based payroll software) a written contract must be entered into which details the processing activities and includes specific mandatory provisions
Procurement
  • A controller must ensure that any processor it engages provides sufficient guarantees to implement appropriate technical and organisational measures to ensure compliance with GDPR, including teh secure storage of any personal data. Thorough due diligence of a supplier’s security and procedures is essential as well as careful review of contracts
  • Where an arrangement involves the processing of personal data (such as an agreement for outsourced payroll) a written contract must be entered into which details the processing activities and includes specific mandatory provisions and considers liability issues
  • There are restrictions on sub-processing
  • Processors have direct obligations under the GDPR and can face fines from the supervisory authority (the ICO in the UK)
  • A  non-EU processor will be caught by GDPR if its processing activities relate to the offering of goods and services to or,  monitoring the behaviour of, EU data subjects
  • A  non-EU processor may have to appoint a representative within the EU
  • A controller needs to ensure that the processor notifies breaches in sufficient time to enable the controller to fulfil its obligations
Sales and marketing
  • Marketers need to ensure that they have a legal basis for processing. This requires a regular review of all databases
  • Consent is needed for marketing calls, emails and when cookies and online tracking devices are used
  • Stricter requirements for consent means that clear affirmative action is required and that consents may be equally easily retracted
  • Detailed and transparent information needs to be given to data subjects at the point of data capture, including information regarding their rights and the intended use the data will be put to
  • Records must be kept demonstrating where consent has been given
  • Processes need to be in place to meet the enhanced data subject rights such as the right to access, the right to rectification, the ‘right to be forgotten’, the right to object and the right to data portability
  • There are special rules relating to children
  • Privacy policies need to be revised to ensure that they are transparent and that they obtain specific and granular consents for different marketing purposes
  • Beware of buying third party databases
  • Marketers need to remember other relevant laws and not contravene these in order to get ready for GDPR (for example the Privacy and Electronic Communication Regulations (PECR))
Call +44 (0)118 959 7150 or email [email protected] to find out how Boyes Turner will help ensure your business stays compliant.
To find out more about our Data Protection and Security team please click here

award winning law firm

Boyes Turner are proud to have received the following awards and recognition.

awards
failed