×

12th June 2018

GDPR: Have you made sure you have done everything to comply?

Now that the GDPR has come into force, it’s absolutely essential that businesses ensure they’re following the new regulations. The consequences of non-compliance have the potential to cause great financial damage and the enforcement agencies operating in each of the EU nations will be taking their new responsibilities incredibly seriously. Here, we take a look at a few GDPR basics, examine what’s changing under the new regulations, and what non-compliance could mean for your business.

 

The basics

The General Data Protection Regulation (GDPR) came into effect on the 25th May 2018. It applies to all member states of the EU and introduces a number of new processes, procedures, rights, and responsibilities concerning the way organisations handle personal data. The regulations aim to standardise data management practices across Europe and ensure that businesses and public bodies are collecting, storing, transferring, and deleting data in a secure and ethical manner.

   

How should data be handled?

The GDPR is predominately focused on the management of both ‘personal data’ and ‘sensitive personal data.’ The first of these terms is considered to mean any piece of data that can be used to identify an individual. This includes names, addresses, phone numbers, and IP addresses, among other things. Sensitive personal data is that data which is not readily available, like religious or political beliefs, sexuality, and genetic information.

 

In terms of the major implications of GDPR, there are a number of important factors businesses must consider if they’re to ensure compliance. They include:

 
  • A clear process for obtaining the permission of individuals whose data is being collected and stored.
 
  • The implementation of a process that allows individuals to request information pertaining to their stored personal data. This data must be provided within one month and organisations must do so for free. Similar processes that allow personal data to be deleted should also be implemented.
 
  • The reporting of any data breach or loss to the relevant enforcement agency within 72 hours. Those individuals affected by the data breach must also be notified.
 
  • Those companies that employ more than 250 members of staff must detail why the information is being collected, how long it will be stored for, and what security measures are being taken to protect it.
 
  • Any organisation that carries out regular and systematic data collection must appoint a Data Protection Officer (DPO).

Non-Compliance

One of the most eye-catching aspects of the GDPR is the willingness of EU authorities to back their policy with extremely large fines for non-compliance. Organisations that are found to have breached the regulations will face a financial penalty of up to €20million or 4% of global annual turnover, whichever is greater. While only the worst offenders will be hit with the maximum fine, the ability to tailor the punishment to represent both the severity of the crime and the financial clout of the infringing company, makes the GDPR a powerful regulatory tool. However, enforcement agencies in each of the EU nations covered by GDPR will aim to encourage and reward attempted adoption of the regulations – even if there are early issues with compliance – rather than immediately punishing businesses with severe fines. If organisations can demonstrate that they’re making concerted efforts to comply with GDPR, the UK government has offered reassurances that their approach will be defined by its leniency.

     

Conclusion

While implementation of the GDPR will result in widespread changes in the vast majority of UK businesses, it’s not as radical a departure from existing data protection regulations as has been portrayed. However, threatened with large fines and damage to their reputation, businesses need to ensure that they’re complying with the new measures.

 

Though we’ve listed the most important changes included in the GDPR, the legislation consists of over 90 individual articles. Consequently, businesses should seek legal guidance if they have any concerns relating to their own data handling and management practices.

     

If you have any further questions about GDPR or any other legal issues your business is facing, please contact Alec Brooks, Partner and Head of Company & Commercial on 01256 305503 or email alec.brooks@lambbrooks.com

       

The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice.  The law may have changed since this article was published.   Readers should not act on the basis of the information included and should take appropriate professional advice upon their own particular circumstances.

How can we help you?

If you are need of professional, reliable legal advice, contact us today.

CONTACT US