In January 2012 the European Commission kick-started four years of lobbying and debate after publishing the draft General Data Protection Regulation (GDPR). The result of the negotiations is the GDPR, a law that has been designed to revamp data protection legislation across the EU and the UK regardless of when (and if) Brexit happens.
The new legislation comes into effect 25th May 2018. From that point on all companies from SMEs to international corporations which handle personal data relating to individuals in the EU must comply with the GDPR. This means companies will be accountable for the “processing” (a term that covers every act in relation the data such as obtaining, storing, moving, backing up, deleting) of any data that is capable of identifying a living individual, regardless of how this data is collected, sent, processed and stored. The data must be protected, and protection has to be verified.
The GDPR applies to any organisation that has control over personal data as well as those that process personal data on behalf of another organisation.
Understand the impact of the GDPR
Many organisations haven’t fully understood the impact these changes will have and are not sufficiently prepared to implement the changes needed to be compliant. The complexities of the GDPR mean a ‘one size fits all’ approach may leave organisations at risk of a breach.
It is critical to any business that they are aware of, and have a plan to deal with personal data. The costs of not complying with the GDPR are high. Financially, a business can face fines of up to 4% of annual turnover or 20 million euros, whichever is the higher.
The digital economy
It’s not all about fines. The new regulation seeks to acknowledge that data is a key currency in business. In the data-driven world we now live in, the benefits and opportunities presented to organisations by having personal data are unparalleled. The GDPR looks to ensure there are clear rules on the use of, and protection of that valuable data.
Are you ready?
It’s important your organisation looks ahead to GDPR and lays the foundations to ensure compliance. Your approach should include:
- Reviewing the GDPR guidance.
- The assessment of your data processing activities.
- Highlighting the systems and processes using data, and for what purpose.
- Identifying current compliance measures and procedure.
- Implementation of internal procedures.
- Creating a GDPR compliance gap analysis.
- Designing and implementing a set of compliance guidelines, or building on guidelines already in place.
- Executing any technical or procedural changes needed.
- Designing and implementing training programmes.
- Monitoring compliance.
How can we help?
Our team of GDPR specialists offer the following services:
- An audit of your organisation to help identify what data you hold, the purposes for which you process that data, the current measures you have in place to comply with data protection legislation and where the key risks of non-compliance are.
- Reviewing your existing contracts with employees, contractors and suppliers to identify whether they address data protection and, more specifically, the GDPR.
- Varying your existing contracts so that they address the changes brought about by the GDPR and adequately protect you going forward.
- Advising you on steps to take to comply with privacy by design requirements for new technology projects.
- Drafting of applicable policies and procedures to support compliance with the new regime.
- Whether you are a data processor or a data controller under a particular contractual arrangement, we can advise you on what your obligations are under the current data protection regime and how these will change once the GDPR comes into force.
- What due diligence you should be carrying out when looking to engage a third party as a data processor.
- Tailored training on what the GDPR will mean for your business and what steps you can take towards meeting the requirements of the legislation.
- Data breach incident response support and advice.
- Advice on responding to subject access requests, guidance around applicable procedures to ensure requests are managed and risk of confidential information being disclosed is mitigated.