GDPR: what does it mean for your business?
GDPR (General Data Protection Regulation) is here. What does that mean for you and your business?
All business in the UK are now subject to the new GDPR legislation. This legislation has replaced the Data Protection Act (1998) increases the responsibilities of data controllers and processors as well as the rights of individuals. GDPR also applies to all businesses controlling and processing the personal data of individuals residing in the EU, even if the business is based outside the EU.
Fines for data breaches and non-compliance are based on a two-tiered system:
- Breaches of some provisions by businesses, which are deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover, whichever is greater.
- For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, again, whichever is greater.
Is your business compliant and can you prove it?
Under a new principle of accountability, businesses need to review and change their consent processes, processing notices, policies and procedures to reflect the law under GDPR. It is no longer be enough to be compliant with data legislation, you will have to be able to demonstrate compliance under GDPR principles.
To help you ensure that your business is GDPR compliant we have developed a GDPR Toolkit. This Toolkit allows your organisation to assess its current compliance position as against the requirements of the GDPR.
How it works
The toolkit includes a series of questions which need to be answered and a request for associated documents. Once completed we then review the responses and documents provided and meet with key heads of department to deal with any queries. We can either do this once the Toolkit is partially completed or meet with you upfront to help with the Toolkit’s completion.
We will then turn this information into a tabular report which highlights areas where compliance is achieved, where the business has a plan or route towards compliance, or where further action is required and if so in relation to what.
To find out more about our toolkit and how it could support your business, contact Andrew Evans, partner in our Commercial team.
The 6 other principles of GDPR
1. Lawfulness, transparency and fairness – the lawful basis on which the data is processed, this must be demonstrated fairly and transparently to the data subject.
2. Purpose limitation – ensuring data is captured for specific and legitimate purposes.
3. Data minimisation – ensuring personal data is adequate and relevant.
4. Accuracy – ensuring personal data is kept up-to-date.
5. Storage limitation – ensuring data is kept no longer than necessary.
6. Integrity and confidentiality – ensuring appropriate measures are in place to ensure security of the data including the prevention of unauthorised and unlawful processing to protect against accidental loss, destruction or damage.
Get started with GDPR data mapping – use our template
As the first step in a GDPR compliance project, businesses need to ‘map’ their data and information flows in order to assess their privacy risks. Compiling this information also assists your business’ obligation to demonstrate compliance with the GDPR under the new principle of ‘accountability’.
We have developed a template to help you to begin the process of mapping your personal data.
A guide to GDPR data processing notices
In order for data controllers to fulfil the principle of lawfulness, transparency and fairness under GDPR, special consideration must be given to privacy (or data processing) notices. A longer and more detailed list of information must be provided in a privacy notice than under DPA, and the type of information that must be provided will depend on how the data was obtained.
Our guide summarises these changes as a starting point for updating your data processing notices.