search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
legal spotlight Time to get your data in order


Businesses still have to comply with the incoming General Data Protection Regulation (GDPR), even though the UK has voted to leave the European Union. Steve Williams, a partner in accountants and advisers Moore Stephens, explains that inaction isn’t an option


The new regulation comes into full effect from May 25, 2018. The UK will still be an EU member at that date and the Government has confirmed that UK businesses must comply. EU membership isn’t critical in any case: any organisation dealing with EU citizens’ personal data is affected by the GDPR, regardless of where the organisation is located in the world.


Taking action to comply on time is particularly important because the penalties for GDPR breaches are potentially severe. Fines can be as much as 4% of global turnover or €20 million – whichever is the larger. Take Yahoo, which last year reported it had suffered a cyber attack equivalent to the largest data breach in history. If Yahoo were ever to suffer the maximum 4% fine on its $5 billion turnover that would amount to $200m. Companies found to have breached the regulation could suffer other penalties too, including being banned from doing business in a jurisdiction.


Making sure you have all the necessary processes and procedures in place to meet the GDPR requirements is no small job


The big changes


UK companies must already comply with the UK’s Data Protection Act, but the GDPR brings new and greater requirements. One of the biggest changes is that processors of data – as well as ‘data controllers’ – are covered by the regulations. This means that third-party outsourced service providers can no longer assume that all responsibility for data protection lies with their commissioning clients. From a business perspective, those outsourcers’ liabilities could rise – and so could their fees.


A key ethos behind the GDPR is that individuals should have more power over what their private information is being used for. So in future the wording in consent requests must be in plain English and easy to understand. Businesses must also make it as easy as possible for individuals to withdraw their consent whenever they want


16 businessmag.co.uk


and individuals will have the right to be ‘forgotten’ – they can ask an organisation to delete all data held on them without delay. The request must be satisfied by both data controllers and third-party data processors.


If your business breaches the new regulation and the rights and freedoms of individuals could become compromised, you will have to notify stakeholders (including the data regulator and customers) within 72 hours from the time of discovery. You therefore need to ensure you have adequate notification processes and procedures in place.


The GDPR also introduces a legal requirement for ‘privacy by design’: data protection must be considered from the start when any new systems are being designed. Businesses also need to meet data portability requirements, maintaining personal data in a machine-readable format so that it can be easily transferred on request to the individual concerned or another data controller. Individuals will also have strengthened access rights, enabling them to check where and how data held on them is being processed, and for what purpose.


Most organisations won’t need to appoint a data protection officer – only those handling large amounts of data or certain types of sensitive data (such as criminal records). However, there will still be internal record-keeping requirements.


THE BUSINESS MAGAZINE – THAMES VALLEY – MARCH 2017


Actions now


Make sure key individuals in your organisation understand the implications of the GDPR. You also need to understand your current data situation before working towards compliance. For example, do you have a full picture of the data you currently hold? Who do you share this data with? How are you currently seeking, obtaining and recording consent from your customers? What procedures do you currently have in place for detecting, recording and investigating personal data breaches?


Making sure you have all the necessary processes and procedures in place to meet the GDPR requirements is no small job. If you start now, the less likely you are to be facing a large penalty in a few years’ time.


Steve Williams 020 7334 9191 steve.williams@moorestephens.com moorestephens.co.uk


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40