Get Help Understanding the General Data Protection Regulation

In this Article
Reading Time:
4
 minutes
Posted: 25th August 2017 by
d.marsden
Last updated 25th September 2017
Share this article

The new General Data Protection Regulation (GDPR) come into force in May 2018. Employment Partner, Richard Thomas, and Commercial Associate, Maria Coggins, from commercial law firm Capital Law, look at what businesses and individuals need to know.

 

What is GDPR?

On 25th May 2018, the General Data Protection Regulation (GDPR) will come into force, replacing the Data Protection Act 1998. This will be the most significant change in data protection law in the last 20 years. It will change the way organisations are able to capture, use and share personal data – both within their business and externally.

 

Does this apply to all businesses?

Yes. All organisations – regardless of sector or size – will have to comply with the new GDPR. There’s no small business exemption.

This isn’t just important for employers – the GDPR apply across the board. Most businesses operating in the UK, from SME’s to global franchises and public-sector bodies, hold information about individuals (employees, customers or anyone else) and will be affected by the new law.

 

What are the significant changes?

Traditionally, organisations have relied on consent to process personal data. This is usually through clauses in employment contracts or terms and conditions, stating that individuals consent to their data being processed. Under GDPR, this type of consent will be much more difficult to rely on, as it’s unlikely to be considered ‘freely given’ – a requirement under the new law.

For employers, this’ll mean thinking more carefully about the legitimate business reasons for collecting and using employee data, and relying on these reasons – rather than consent. Businesses will also need to consider the grounds on which they process other types of personal data, like customer information.

The GDPR provides several other legitimate reasons for processing personal data – but when these don’t apply, and businesses can only process based on consent, they’ll need to review how this is obtained.

Employers will also have to provide ‘Fair Processing Notices’ – setting out, in clear detail, why they’re collecting and processing data. For other data, businesses might already provide these notices in documents like privacy policies – but they should review these in line with the new law. A Fair Processing Notice will need to include details like:

·         The purpose and legal basis for data processing

·         The categories of data being processed

·         The recipients of the data

·         Information confirming the data subject's legal rights and their right to lodge a complaint with the Supervisory Authority (in the UK, this is the Information Commissioner).

This increased level of transparency will require a big culture change – and is something all businesses will have to get used to.

Reporting certain data breaches will also become increasingly important for all organisations. GDPR will introduce a new legal duty to formally report certain types of data breaches within 72 hours of becoming aware of the breach.  If a data breach could risk an individual’s confidentiality or financial position, organisations must notify the ICO within 72 hours, and could be fined if they don’t. This is another significant change – and all organisations should train staff to understand what could constitute a data breach.

 

What happens if the new GDPR aren’t followed?

Once the regulations come in, all organisations must be compliant.

Failing to comply with the new regulations could leave any organisation open to enforcement action which could damage their public reputation – as well as their bank balance. The maximum penalty could be up to £17m – or 4% of global turnover, whichever is higher.

Individuals will also become increasingly aware of their rights under the GDPR – and are likely to complain if they suspect a breach. The ICO will take complaints seriously, and are likely to come down hard on organisations who haven’t reported any breach themselves. Businesses could be opening themselves up to two fines – one for not reporting a breach, and the other for the breach itself.

 

How can Capital Law help?

We take a hands-on approach to assisting with the changes required under the GDPR, advising not just on the letter of the law, but also giving practical guidance on how to prepare for the new regime.

We can help you to consider:

·         How the changes will require more than a simple update to data protection policies

·         Why employers will find it much harder to rely on consent

·         How the new legal rights for individuals could impact core projects/procedures

·         Data Protection Officers – do you need one and what’s their role?

·         Difficulties surrounding data for marketing purposes

·         The impact it will have on Corporate Governance

·         New enforcement actions.

We’re also hosting workshops that’ll equip you with detailed knowledge of how GDPR affects your organisation, and what you need to do to ensure compliance.

To book on to our courses, or to find out more, visit our webpage: www.capitallaw.co.uk/services/general-data-protection-regulations.

 

Richard Thomas

Partner

 Maria Coggins

Associate

 www.capital-law.co.uk

Richard graduated from London School of Economics before returning to his home town of Cardiff to commence his legal career.

Richard has a particular interest in the health sector; he worked as an “in house” lawyer for NHS Wales for a number of years, advising them on a variety of employment law issues.

He advises on a wide range of individual and collective employment law issues including:

 ·         corporate acquisitions

·         disposals

·         mergers

·         outsourcing

·         restructuring – including collective redundancies and consultations

·         trade union issues.

Maria trained as a solicitor at Capital Law and works in the Corporate and Commercial team with a dual specialism in commercial work and corporate restructuring. Maria advises clients in respect of supply agreements, terms and conditions, commercial joint ventures, agency and distribution agreements and a range of regulatory and compliance matters. She completed a ten-month secondment with France Telecom Orange in their Group Fraud and Revenue Assurance team and delivers training to clients on effective legal risk management.

Welsh with a global outlook, Capital Law offers clear, insightful advice that is commercial and relevant. Capital specialises in providing legal and professional services to trading organisations throughout the UK, Europe and beyond. Its legal expertise spans both public and private sectors, for a wide range of clients; from multi-nationals to tech start-ups. Its main areas of practice are employment, property, corporate and commercial, and commercial disputes. Capital is the only law firm in Wales to have an integrated management consultancy business, Capital People, allowing it to provide comprehensive training and consultancy alongside excellent legal advice.

 

About Lawyer Monthly

Lawyer Monthly is a news website and monthly legal publication with content that is entirely defined by the significant legal news from around the world.