GDPR– the Business Impact
What is happening and when?
On 25 May 2018, new laws governing the use of all personal data will come into effect throughout the European Union (EU). Known as the General Data Protection Regulation or GDPR, this will require all businesses operating in the EU to comply with the strictest data protection laws in the world.
Why is this important for my business?
All businesses handle personal data, for example relating to their employees and to individual contacts at customers, suppliers, prospects and other organisations they deal with.
The scope of personal data is broad, covering information ranging from names, email addresses and telephone numbers to credit card numbers, location data, health data and even IP addresses. Your business will therefore need to comply with the onerous new obligations imposed on it by the GDPR and respect the stronger rights granted to individuals.
Failure to comply could expose your business to the financial impact of heavy sanctions and the reputational damage of naming and shaming. You may even be required to stop or change the way your business operates.
Why is the GDPR being introduced?
The EU already has strict but outdated data protection laws. New laws are needed to respond to rapid developments in technology such as social media, cloud based computing services, big data analytics and artificial intelligence. These have led to huge amounts of personal data being created about all of us which is stored, transferred and used in different locations around the world, often without individuals being aware. As publicised in the media, there are increased risks to individuals posed by cyberattacks resulting in the theft of sensitive and valuable personal data and the GDPR seeks to make all businesses take this seriously.
Will Brexit affect the GDPR?
It is widely anticipated that the UK will continue to implement GDPR equivalent standards post Brexit. A draft Data Protection Bill was submitted to the House of Lords in September 2017 to implement certain delegated aspects of the GDPR into English law and to ensure that the UK retains its “world class” data protection regime following Brexit.
The GDPR has extraterritorial effect; it will apply to organisations outside of the EU when they process the personal data of people inside the EU, in most cases. UK businesses which offer goods and services to, or monitor the behaviour of, individuals in the EU will have to comply with the GDPR when processing their personal data, both before and after Brexit.
Fines for non-compliance will increase from the current maximum of £500,000 under the Data Protection Act 1998 to €20,000,000 or 4% of total worldwide annual turnover (whichever is greater) under the GDPR.
Cyberattacks and data fraud are increasing in scale and frequency. Businesses will be required to notify the regulator, and potentially the relevant individuals, in the event of an incident which puts individuals’ personal data at risk.
Businesses will need to be able to demonstrate that their handling of individuals’ personal data is compliant with the law. In practice, most businesses will need to revise certain procedures and practices, for example in relation to record keeping, training and privacy impact assessments.
Data protection by design and by default
Businesses will need to take into account GDPR compliance whenever they implement new ways of working and create new products and services which involve the handling of individuals’ information.
Individuals will have much stronger rights under the GDPR, for example in relation to the information businesses must provide them with when collecting their personal data as well as their right to access their personal data and request its deletion. This is likely to require businesses to revise certain procedures, policies and systems.
Not only will transfers of individuals’ personal data outside the EU continue to be strictly regulated under the GDPR, the law itself may in certain circumstances apply to the processing of personal data outside of the EU. For example, a US parent company with a subsidiary operating in the UK may be regulated under the GDPR in relation to its processing of personal data relating to individuals in the UK.
Consent & marketing
Consent obtained from individuals must be of ‘GDPR quality’ in order for businesses to be able to continue to rely on it. This includes consent for the sending of certain marketing communications. Businesses must also be able to demonstrate that the consent they are relying on meets the new requirements of the GDPR. Proper record keeping is therefore essential.
International data transfers
In light of the increased fines, it is important that businesses review their current data transfers outside of the EU, both intragroup and via third party providers, and ensure that they are compliant. However, multinational businesses will welcome the broader options offered by the GDPR for facilitating global data transfers and creating global data transfer frameworks.
Mandatory data protection officers
Many businesses will find themselves subject to the requirement to appoint a data protection officer (‘DPO’) with the relevant ‘expert knowledge of data protection law and practices’.1 Businesses should carry out the necessary analysis to determine if they are required to appoint a DPO.
- Advising a ‘household name’ UK automotive sector company on its preparations for the GDPR. Our role is ongoing and ranges from strategic input on the client’s risk-based approach to identify priority areas for preparation through to preparing suites of GDPRcompliant data processing agreements.
- Advising a Tokyo Stock Exchange-listed, multi-billion dollar turnover Japanese financial services company on preparing for the implementation of the GDPR. Our role is multi-faceted, requiring us to advise the client on complex issues arising in connection with the the extra-territorial application of the GDPR, cross-border data transfers, data security measures, global personnel management, handling sensitive data, and privacy impact assessments.
- Advising a ‘household name’ UK leisure sector company on its preparations for the GDPR. Our role is broad and encompasses advising on data mapping, cybersecurity, acting as a ‘sounding board’ for applying the risk-based approach to identify priority areas for action, analysing the requirement for a data protection officer, and reviewing arrangements with core IT systems providers.
- Advising a Tokyo Stock Exchange listed, multi-billion dollar turnover technology services provider on complex cross-border data transfer compliance issues under current EU data protection law and ‘future proofing’ the arrangements under the GDPR. The matter related to the client’s provision of support services to a major Japanese healthcare company and its EU subsidiaries as part of a large-scale IT outsourcing project.
- Advising a venture capital backed developer of a new social media app on structuring the app and service to be compliant under the GDPR, with particular focus on privacy by design and by default, use of children’s data, and data portability.
- Advising a Tokyo Stock Exchange-listed, multi-billion dollar turnover Japanese industrial conglomerate on a major project to prepare for the implementation of the GDPR. We are acting as lead project counsel for the EU on all aspects of the project including:
– Delivering a data awareness training session to senior UK management covering the existing EU data protection and cybersecurity regime and changes to be brought in under the GDPR.
– Undertaking a full data audit of the client’s UK subsidiaries including conducting interviews across core business teams and reviewing policies and contracts with third party providers.
– Comprehensive reporting on the outcome of the data audit.
– Formulating a structured programme of detailed recommendations for GDPR preparation.
– Supporting the client on implementing our recommendations in the UK. – Coordinating and working together with the client’s local legal advisers to extend the data audit and recommendations to its other European subsidiaries in multiple EU countries including France, Germany, Spain and Italy.