The first EU Data Protection Directive was written in 1995 but a new, stronger regulation has been developed to take into account the incredible technology changes of the last 20 years.
This new regulation (General Data Protection Regulation – GDPR) comes into effect in May 2018 and organisations need to take the appropriate steps now to comply.
In bringing data protection laws up to date, the stated aim is to give individuals more control of their personal data as well as simplifying the regulatory environment.
However, these changes could mean huge fines for organisations that breach the law and pose formidable challenges as to how organisations will be required to store, delete and return data to individuals.
What these changes mean
A significant change will be an increase in the amount of money regulators can fine organisations who do not comply with the legislation – up to 4% of their global turnover or 20m euros (£15.8m), whichever is greater.
The regulation also allows individuals to claim damages for losses and distress they suffer as a result of unlawful data processing.
The new regulation places a strong emphasis on ensuring that privacy is at the heart of business decision making – “privacy by design.’’ This means that organisations need to take into account and record how their new data processing activities may affect privacy.
Under the new regulations, there is a greater emphasis on ensuring that individuals are informed about how their data may be used and information on controlling this use. Specific information must be provided to individuals when their data is collected.
Generally individuals must actively opt-in to indicate their explicit consent to all forms of inbound communications. The way in which this consent was obtained must be recorded.
Individuals are also given, in certain circumstances, greater rights to control their personal data including:
- the right to data transparency
- the right to data portability
- the right to be ‘forgotten’.
The period for responding to ‘Subject Access Requests’ has also been reduced and the current £10 fee has been abolished.
Organisations are required to take appropriate steps to protect personal data and will operate under a duty of ‘self reporting’ within a 72 hour time frame for reporting data breaches to the Information Commissioner’s Office.
The legislation will apply to any company that handles EU citizens’ data, even if that company is not based in Europe.
The current law places obligations on Data Controllers, whereas the new law also applies directly to those organisations who process data on behalf of Data Controllers – known as Data Processors, All arrangements and contracts with Data Processors will need to be reviewed to ensure they comply with the requirements of the new law.
Finally, companies and organisations will be required to show how they are complying with the legislation. Organisations employing more than 250 people have additional obligations to maintain records of all processing activities under their responsibility.
How we can help
By May 2018 your organisation must be fully compliant. We can work with you to develop a compliance strategy.
This will usually consist of the following steps:
- appointing a senior employee as data protection officer to take overall responsibility for data protection compliance
- undertaking a data audit to identify what categories of personal data are held and processed
- reviewing the legal basis for processing data identified in the audit
- drafting new privacy notices
- reviewing agreements with third parties who process data on your behalf and ensuring that these meet the new requirements
- establishing a procedure to detect, report and investigate data breaches
- reviewing and updating internal policies and procedures relating to data protection
- developing a staff awareness programme.
See our guide to GDPR compliance for more information on the steps that your organisation needs to take.
As well as providing training for data protection officers we can deliver training across your organisation tailored to your specific requirements to ensure that all relevant staff are aware of their obligations.
Our team are very experienced in drafting specific data processing agreements with third parties who process personal data on your behalf and ensuring adequate data protection and information security provisions are incorporated in other contracts.
Requests from Data Subjects
We can help organisations develop a compliant system for handling requests received from data subjects.
We regularly advise clients on how to manage subject access requests including reviewing and editing data collated prior to responding to a subject access request.
Once a data breach is identified it is critical to act quickly. Our team of legal experts are ready to react and advise quickly to help you manage the effects of a data breach. We also work closely with IT security experts and PR consultants to ensure that that you receive a joined up approach to dealing with such matters.
Enquiries from the Information Commissioner can be intimidating and we can help you respond appropriately. If enforcement action is taken against you we also have a team of experts able to assist in defending any such action and helping you to achieve the best possible outcome for your business.
Your Retainer Options
Having worked with other managers and owners in a similar position, we know that you want certainty about the costs of legal advice and how, and when, this advice can be accessed.
That is why we have devised a flexible retainer advice package which will save you time, effort, worry and money.
Prices start at £250 per month and include:
- an initial onsite review with you to determine your current level of data protection compliance, identifying any areas for improvement and helping you develop a GDPR compliance plan if you do not already have one
- ongoing telephone and email advice in relation to data protection issues
- membership of the DPO club.
The package is flexible and if you want more assistance in developing and executing a GDPR compliance plan or other issues arise from our initial onsite review we can adapt our retainer to include these additional services.
We are of course also happy to work on more traditional hourly rates and to agree fixed fees for specific elements of advice if you do not wish to sign up to a full retainer package.