This page contains a Flash digital edition of a book.
38 legal focus


Clear your boardroom agenda: Data protection is the next hot topic


Important changes for your business are taking place in the world of data protection. The current regime is being replaced with the General Data Protection Regulation (GDPR), writes Matthew Lea of Herrington Carmichael


Whilst data protection may have previously been treated as an afterthought, the GDPR contains onerous provisions that will require many businesses to re-evaluate their current processes and procedures for recording, handling and transferring data.


Key changes you need to know and prepare for:


1) Processors. One of the most significant changes under the GDPR is the introduction of direct obligations placed on data processors. The new obligations include implementing certain technical and organisational measures, notifying the data controller of data breaches and, in certain circumstances, appointing a data protection officer.


2) Sanctions. One area likely to be the focus of much attention is the increased level of penalties. The GDPR enables the relevant Data Protection Authority to impose fines on both data processors and controllers for certain infringements of up to 4% of annual worldwide turnover or 20,000,000 euros (whichever is higher).


3) Consent. Consent to the processing of a data subject’s personal data under the new regime must be a “freely given, specific, informed and unambiguous indication” of the data subject’s wishes shown by a “clear affirmative action”. Existing consents may still be sufficient, but only in so far as they meet the new requirement. Many businesses will need to review their practices to i) ensure any previous consents given to process data meet the new requirements or request compliant consents from data subjects and ii) update any processes which do not meet the new requirements.


4) International transfers. Where data exporters rely on data subjects‘ consent to transfer data outside of the EEA, they will now need to ensure that the data subject has consented to the proposed transfer, after being informed of the risks of such transfers. It is anticipated that many businesses’ current processes will not comply and should therefore be reviewed.


businessmag.co.uk


5) Data Protection Officers (DPO). A requirement for data controllers and data processors to designate a DPO in certain circumstances has been introduced. A DPO must be appointed where i) the processing is carried out by a public authority or body, ii) the core activities of the controller or processor consist of processing operations which by their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale, or iii) the core activities of the controller or processor consist of processing on a large scale of certain categories of data.


Any DPO appointed must have expert knowledge of data protection law, the necessary level of expert knowledge will depend on the data processing being carried out.


6) Data protection by design and default.


The GDPR introduces further obligations on data controllers to ensure data protection by design and default. This requires the data controller to implement appropriate technical and organisational measures to ensure compliance with the GDPR at both i) the time of contemplating the means for processing and ii) the time of the processing itself. The measures include carrying out data protection impact assessments, maintaining certain documentation and putting procedures in place to ensure that only data that are necessary for the purposes of the processing are processed and not retained beyond the minimum necessary for those purposes (known as data minimisation).


What should your business be doing now?


The GDPR will not come into force immediately and will likely take effect mid-2018. In the meantime, your business should be preparing for and assessing the impact the GDPR is going to have on how you do business. In particular:


1) Put in place bespoke policies which THE BUSINESS MAGAZINE – THAMES VALLEY – JUNE 2016


identify key data protection risks in your business and contain procedures to ensure you process data lawfully;


2) If you rely on data subjects’ consent for processing data, review your points of consent (eg T&Cs/website) to ensure compliance;


3) If you store any amount of personal data, be mindful of the requirements for data minimisation;


4) If you are a data processor, be aware of introduction of the direct obligations placed on you. You should review your policies, procedures and contracts to ensure compliance. You may also find your customers want to ensure you are compliant; and


5) Check that your employees are trained and understand the new obligations.


For further information or to discuss the issues raised in this article contact me, details below.


Details: Matthew Lea 0118-9774045 matthew.lea@herrington-carmichael.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76