This legislation contains some onerous obligations, many of which take considerable time and effort to prepare for. Non-compliance has serious penalties in the form of fines. The new GDPR maximum fine is €20m, or 4% of an organisation’s global turnover (if higher).
What can Lupton Fawcett do to help?
We can help you address the steps you will need to take to ensure your GDPR compliance including:
- Conduct a complete audit of your data protection practices
- Provide you with a guidance report on the actions required to become compliant and the practical steps required to getting there
- Draft relevant documents including: policies, notices and consent forms.
- Review and/or draft contractual arrangements for others who process data on your behalf
- Fully review policies and provide guidance for the transfer of data to any foreign locations
- Provide training for your people on the issues they must understand and actions they must take in regard to data compliance.
If you are facing an ICO investigation or associated court hearings we are able to advise and represent you.
GDPR (EU General Data Protection Regulation) – what it is and key points to consider
- Who does the GDPR apply to?
- What information does the GDPR apply to?
- Principles of GDPR
- Data Subject rights
- Data Processors
- How Lupton Fawcett can help with GDPR compliance
The GDPR applies to “controllers and processors”. The controller is the person who determines the purpose, and the manner in which personal data is processed. The processor acts on the controller’s behalf.
What information does the GDPR apply to:
The GDPR applies to “personal data” but the definition is more expansive to reflect changes in technology and how information on people is collected.
Personal data such as HR records, customer lists or contact details are all covered by the GDPR. The GDPR applies to both automated personal data and certain manual filing systems.
Sensitive personal data needs to be treated with extreme caution, and includes raicial or ethnic origin, religious or philosophical beliefs, trade union membership, health data and information about a persons sex life or sexual orientation, genetic and biometric data.
Principles of GDPR
Under the GDPR the data protection principles set out the main responsibilities for organisations, for example, that data is processed lawfully, is collected only for specified, explicit and legitimate purposes and is accurate and appropriately secure.
The GDPR introduces an accountability requirement with a focus on the legal basis for processing personal data and transparency.
You are expected to put into place comprehensive and proportionate governance measures to minimise the risk of breaches and to protect personal data. Practically this will mean policies and procedures for organisations.
The giving of consent is one of the gateways through which a controller can establish a legal basis for processing personal data.
The definition of “consent” is strict under the GDPR. Consent should be freely given, specific, informed and unambiguous. Implied consent (e.g. not responding to a request) will not be sufficient.
Data Subject rights
The GDPR sets out the rights for individuals:
- The right to be informed on what data is being processed, typically through a privacy notice which must include detailed information;
- The right to access their personal data – information must be provided within 1 month;
- The right to rectification if data is inaccurate or incomplete;
- The right to erasure: this is known as the “right to be forgotten”. Data subject has the right to require a controller to delete data files if there are no legitimate grounds for retaining them.
- The right to restrict processing: i.e have the right to block the processing of data, for example when the accuracy of personal data is contested.
- The right to data portability: which allows individuals to move, copy or transfer personal data easily between one IT environment to another in a secure and safe manner;
- The right to object: individuals have the right to object to processing on grounds relating to his or her particular situation unless there are compelling legitimate grounds for processing.
- Rights relating to automated decision making and profiling: the GDPR provides safeguards for individuals against the risk of a decision being taken without human intervention.
The GDPR directly regulates data processors, extending the formal contractual requirements needed between data controllers and data processors. Data processors have a duty to comply and potential liability if they fail.
The GDPR increased responsibility and accountability on organisations to manage how they control and process personal data. This complements the transparency requirements.
Organisations are expected to put in place comprehensive and proportionate governance measures. The measures include:
- Keeping a detailed record of processing operations;
- Conducting a privacy impact assessment;
- Designating a data protection officer (“DPO”) if required (this only applies if you are a public authority, carry out large-scale systematic monitoring of individuals, or carry out large scale processing of special categories of data). If appointing a DPO is not a requirement for your organisation you must still ensure someone has the skills to discharge the organisation’s obligations under the GDPR;
- Notifying the Regulator of data breaches. Mandatory notification promptly and at the latest, within 72 hours is a significant new measure imposed by the GDPR. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data;
- Implementing “privacy by design and default”. Under the GDPR organisations have an obligation to implement technical and organisational measures to demonstrate that you have considered and integrated data protection into your processing activities.
The regime under the GDPR provides for regulators to impose high financial sanctions, £20m or up to 4% of the annual worldwide turnover of an organisation if higher.
The GDPR is applied consistently across all EU member states thereby creating uniformity of approach in imposing sanctions for breach.
- Audit of your data protection practices
- We will visit your premises and interview the key personnel who manage data in your organisation.
- We will view the physical and digital arrangements that you have for storage of documentation.
- We will review your key data protection policies, consent forms and other documents.
- We will review your key data protection statements on your website.
- We will provide you with a report of the steps you must take to become GDPR compliant and how you can achieve them
- Following our audit visit, we will draft a full audit report.
- We will highlight the areas where you are compliant with data protection legislation.
- We will highlight any areas where your processes and arrangements fall short of the requirements of the data protection legislation.
- We will recommend the steps that you should take to ensure that you are fully compliant with the data protection legislation.
- We can prepare all policies, notices, consent forms etc you will require to ensure GDPR compliance
- We will advise you about your obligations concerning the transfer of data to foreign locations and provide guidance on the steps and limits you must implement to ensure compliance
- We will review your current contracts and advise on any amendments to be made.
- Where necessary we will provide further contractual documentation.
- However good policies and procedure are, the possibility of human error will always remain. We offer training courses to educate the relevant individuals and teams on how to understand the issues, and how to embed the right behaviours.
Contact us for help
To speak to a solicitor about our GDPR services or for advice, call us on 0333 323 5292, or download our team sheet. Alternatively, send us an email or complete the form on this page to let us know that you would like to hear from us.