What is the General Data Protection Regulation ("GDPR")?
The GDPR is the greatest reform of data protection for a generation and it is set to apply from 25 May 2018. As such, it will require buy in and commitment from across your business and it is important to ensure that you have looked at all types of personal data processed by your organisation.
There has been a lot of focus on ensuring that companies get their customer data protection practices ready for GDPR, but it is just as important to ensure that you also process employee data in accordance with the GDPR.
How will it affect your business
- Value - The main benefits of getting data protection right under GDPR will be an increased confidence in your brand and good data protection should ultimately increase the value of your business.
- Increased fines - The consequences of ignoring the GDPR, or of not giving it the attention that it requires, are substantial. Under the Data Protection Act 1998 the Information Commissioner's Office can currently issue a maximum fine of £500,000 per data protection breach. However, under the GDPR regulators can issue significantly higher fines on the following two tier basis:
- The greater of up to 2% of global annual group turnover or €10 million for more administrative type breaches such as failing to comply with breach notification obligations.
- The greater of up to 4% of global annual group turnover or €20 million for more serious breaches such as failing to comply with requirements relating to international transfers or obtaining sufficient consent for processing.
How can we help?
We can help advise on national and international data protection matters, specifically relating to the GDPR. In particular, we can assist with the following:
- Drafting and updating data protection policies and procedures, information notices, consent requests, employment contracts, data processing agreements and data transfer agreements
- In-house data protection training and data audits
- Requests from individuals (including subject access requests)
- Assessing which grounds for lawful processing should be relied on (bearing in mind that employers should avoid relying on consent when processing employee data due to the imbalance of power in the relationship)
- Breach management and response
- Cross border data transfer advice
- Ad-hoc queries on the impact of the GDPR
For more information please contact us.