search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
law GDPR – Coming, ready or not


Businesses now rely on technology and the transfer of data online more than ever before, leading to an increased risk of data breaches occurring. This has led to an overhaul of data protection laws in Europe


Europe’s data protection laws will undergo their biggest change in two decades when the new General Data Protection Regulation (GDPR) comes into force on May 25. GDPR will replace the current UK Data Protection Act 1998, and will uniform data protection requirements across all EU member states.


GDPR: Everything you wanted to know but never dared to ask


Does this apply to me?


GDPR will apply to all companies, however big or small, that market goods or services to EU residents, even if a company does not have an establishment in the EU. Companies may, therefore, find themselves subject to the new regime even if they do not have a business presence in the EU, for example, technology companies.


What is personal data?


The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. GDPR broadens the definition of ‘personal data’ to location data and online identifiers, such as IP addresses and cookie data. ‘Sensitive data’ such as biometric and genetic data, which is becoming increasingly common for businesses to collect, will be subject to a higher standard under GDPR.


Am I liable?


Data processors (responsible for processing data on behalf of a data controller, who determines the purpose and means of processing personal data) will now be directly liable for some matters which were previously only the data controller’s responsibility. This is particularly significant as there will now be the possibility for individuals to enforce their rights directly against data processors.


Am I accountable?


Businesses will not just need to comply with GDPR, but will have to do so in a demonstrable manner. Policies and procedures must be documented, updated and impact assessments must be undertaken. Businesses will also need to consider privacy implications when designing new processes, products or services.


What are the consent requirements?


GDPR requires a higher level of consent, and businesses must obtain specific, informed and unambiguous consent, with a clear affirmative action, ie an unticked tick box, to process that individual’s data in certain circumstances. Consent must be easy to withdraw and explicit.


What happens if I am in breach?


GDPR will dramatically increase fines for non-compliance. Companies violating GDPR may be fined up to €10 million or 2% of their global annual turnover, whichever is greater for


THE BUSINESS MAGAZINE – MARCH/APRIL 2018 businessmag.co.uk 79


smaller offences. For more serious offences, this is increased to €20 million or 4% of a company’s global annual turnover, whichever is greater.


Is GDPR just another ‘Millennium Bug’?


Unlike with the Millennium Bug, GDPR is known, and we know what is coming. The new legislation will happen, and it will come into force on May 25.


There is, however, more to be concerned about than just receiving a fine for non-compliance. Judicial remedies are also likely to be sought, where damages could amount to much more than any fine, for example, the potential loss of share values in non-compliant companies. Media could also have a field day ‘naming and shaming’ organisations who are found non-compliant.


GDPR: Not just a project


There is still a tendency within some businesses to think that GDPR is a one-off project. This is not the case. Identifying temporary resource and allocating one-off budgets to comply with GDPR will not make it ‘go away’.


Getting ready for GDPR will mean implementing ongoing privacy governance, policies and processes, and continuously training staff on GDPR compliance. If a company’s process for collecting data changes, policies and procedures will need to be updated accordingly.


For example, in commercial deals, data protection and privacy has gone from being a last minute, minor consideration, if a consideration at all, to a major hurdle to overcome in order to close a deal. In addition, the new and expanded rights under GDPR hugely increase the potential for data protection to be used as a weapon in the context of employment disputes.


Owing to the breadth of GDPR, businesses are advised to conduct an audit and a comprehensive review of data they hold and their existing data protection procedures to allow sufficient time and resources to affect the necessary changes required to ensure GDPR compliance.


Download our full GDPR and Data Protection guides at: herrington-carmichael.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84  |  Page 85  |  Page 86  |  Page 87  |  Page 88