The first EU Data Protection Directive was written in 1995, but a new, stronger regulation has been developed to take into account the incredible technological changes of the last 20 years.
This new regulation (General Data Protection Regulation – GDPR) came into effect in May 2018, and organisations need to take the appropriate steps to comply.
In bringing data protection laws up to date, the stated aim is to give individuals more control of their personal data as well as simplify the regulatory environment.
However, these changes mean huge fines for organisations that breach the law and pose formidable challenges as to how organisations are required to store, delete and return data to individuals.
What these changes mean
A significant change is an increase in the amount of money regulators can fine organisations who do not comply with the legislation – up to 4% of their global turnover or 20m euros (£15.8m), whichever is greater.
The regulation also allows individuals to claim damages for losses and distress they suffer as a result of unlawful data processing.
The regulation places a strong emphasis on ensuring that privacy is at the heart of business decision-making – “privacy by design.’’ This means that organisations need to take into account and record how their new data processing activities may affect privacy.
Under the regulation, there is a greater emphasis on ensuring that individuals are informed about how their data may be used and information on controlling this use. Specific information must be provided to individuals when their data is collected.
Generally, individuals must actively opt-in to indicate their explicit consent to all forms of inbound communications. The way in which this consent was obtained must be recorded.
Individuals are also given, in certain circumstances, greater rights to control their personal data, including:
- the right to data transparency
- the right to data portability
- the right to be ‘forgotten’.
The period for responding to ‘Subject Access Requests’ has also been reduced, and the current £10 fee has been abolished.
Organisations are required to take appropriate steps to protect personal data and will operate under a duty of ‘self reporting’ within a 72 hour time frame for reporting data breaches to the Information Commissioner’s Office.
The legislation applies to any company that handles EU citizens’ data, even if that company is not based in Europe.
The current law places obligations directly on those organisations that process data on behalf of Data Controllers – known as Data Processors – as well as the Data Controller. All arrangements and contracts with Data Processors will need to be reviewed to ensure they comply with the requirements of the new law.
Finally, companies and organisations are required to show how they are complying with the legislation. Organisations employing more than 250 people have additional obligations to maintain records of all processing activities under their responsibility.
How we can help
Compliance Advice
From May 2018, your organisation must be fully compliant. We can work with you to develop a compliance strategy.
This will usually consist of the following steps:
- appointing a senior employee as data protection officer to take overall responsibility for data protection compliance
- undertaking a data audit to identify what categories of personal data are held and processed
- reviewing the legal basis for processing data identified in the audit
- drafting new privacy notices
- reviewing agreements with third parties who process data on your behalf and ensuring that these meet the new requirements
- establishing a procedure to detect, report and investigate data breaches
- reviewing and updating internal policies and procedures relating to data protection
- developing a staff awareness programme.
See our guide to GDPR compliance for more information on the steps that your organisation needs to take.
Training
As well as providing training for data protection officers, we can deliver training across your organisation tailored to your specific requirements to ensure that all relevant staff are aware of their obligations.
Contract Drafting
Our team is very experienced in drafting specific data processing agreements with third parties who process personal data on your behalf and ensure adequate data protection and information security provisions are incorporated into other contracts.
Requests from Data Subjects
We can help organisations develop a compliant system for handling requests received from data subjects.
We regularly advise clients on how to manage subject access requests, including reviewing and editing data collated prior to responding to a subject access request.
Data Breaches
Once a data breach is identified, it is critical to act quickly. Our team of legal experts are ready to react and advise quickly to help you manage the effects of a data breach. We also work closely with IT security experts and PR consultants to ensure that you receive a joined-up approach to dealing with such matters.
Enforcement Action
Enquiries from the Information Commissioner can be intimidating and we can help you respond appropriately. If enforcement action is taken against you we also have a team of experts able to assist in defending any such action and helping you to achieve the best possible outcome for your business.
Your Retainer Options
Having worked with other managers and owners in a similar position, we know that you want certainty about the costs of legal advice and how and when this advice can be accessed.
That is why we have devised a flexible retainer advice package that will save you time, effort, worry, and money.
Prices start at £250 per month and include:
- an initial onsite review with you to determine your current level of data protection compliance, identify any areas for improvement and help you develop a GDPR compliance plan if you do not already have one
- ongoing telephone and email advice in relation to data protection issues
- membership of the DPO club.
The package is flexible, and if you want more assistance in developing and executing a GDPR compliance plan or other issues arise from our initial onsite review, we can adapt our retainer to include these additional services.
We are, of course, also happy to work on more traditional hourly rates and to agree to fixed fees for specific elements of advice if you do not wish to sign up for a full retainer package.