GDPR Advice

Our specialist technology lawyers have provided GDPR advice to SME’s, UK household names and Stock Exchange-listed, multi-billion dollar companies alike. Get in touch with us today if you’re in need of specialist, GDPR advice for your business.

What is the GDPR?

On 25 May 2018, new laws governing the use of all personal data came into effect throughout the European Union (EU). Known as the General Data Protection Regulation or GDPR, this required all businesses operating in the EU to comply with the strictest data protection laws in the world.

Why is this important for my business?

All businesses handle personal data, for example relating to their employees and to individual contacts at customers, suppliers, prospects and other organisations they deal with.

The scope of personal data is broad, covering information ranging from names, email addresses and telephone numbers to credit card numbers, location data, health data and even IP addresses. Your business  therefore needs to comply with the onerous new obligations imposed on it by the GDPR and respect the stronger rights granted to individuals.

Failure to comply could expose your business to the financial impact of heavy sanctions and the reputational damage of naming and shaming. You may even be required to stop or change the way your business operates. Businesses should seek specialist GDPR advice

Why was the GDPR  introduced?

The EU already had strict but outdated data protection laws. New laws were needed to respond to rapid developments in technology such as social media, cloud based computing services, big data analytics and artificial intelligence. These have led to huge amounts of personal data being created about all of us which is stored, transferred and used in different locations around the world, often without individuals being aware. As publicised in the media, there are increased risks to individuals posed by cyberattacks resulting in the theft of sensitive and valuable personal data and the GDPR seeks to make all businesses take this seriously.

Does GDPR still apply in the UK?

The UK GDPR, is in essence the GDPR (EU/2016) retained by the UK upon leaving the EU. The obligations in the Regulation largely mirror those contained in the EU GDPR (EU/2016). The Regulation is intended to give individuals control and protection of their personal data through governing how organisations, businesses or other individuals dealing with data of UK citizens, go about processing and using it.

The GDPR has extraterritorial effect; it applies to organisations outside of the EU when they process the personal data of people inside the EU, in most cases. UK businesses which offer goods and services to, or monitor the behaviour of, individuals in the EU will have to comply with the GDPR when processing their personal data.

Higher fines

Fines for non-compliance have increased from the previous maximum of £500,000 under the Data Protection Act 1998 to €20,000,000 or 4% of total worldwide annual turnover (whichever is greater) under the GDPR.

Data security

Cyberattacks and data fraud have increased in scale and frequency. Businesses are now required to notify the regulator, and potentially the relevant individuals, in the event of an incident which puts individuals’ personal data at risk.

Accountability

Businesses must be able to demonstrate that their handling of individuals’ personal data is compliant with the law. In practice, most businesses need to revise a number of their former procedures and practices in the light of the GDPR, for example in relation to record keeping, training and privacy impact assessments.

Data protection by design and by default

Businesses have to take into account GDPR compliance whenever they implement new ways of working and create new products and services which involve the handling of individuals’ information. Businesses effectively have to ‘bake-in’ data protection measures to new products and processes.

Individuals’ rights

Individuals have a number of rights under the GDPR, for example in relation to the information that businesses must provide to them when collecting their personal data as well as their right to access their personal data and request its deletion. This requires businesses to have certain procedures, policies and systems in place that can facilitate a subject evoking any of their rights.

International scope

Not only do transfers of individuals’ personal data outside the UK and the EU continue to be strictly regulated under the GDPR, the law itself may in certain circumstances apply to the processing of personal data outside of the UK or EU. For example, a US parent company with a subsidiary operating in the UK may be regulated under the GDPR in relation to its processing of personal data relating to individuals in the UK.

Consent & marketing

Data Protection Legislation requires any consent given to meet certain thresholds, meaning that consent gives the individual ultimate control as to how their data is processed for specific purposes and is especially important when processing special categories of data. This includes consent for the sending of certain marketing communications. Businesses must also be able to demonstrate that the consent they are relying on meets the requirements of the GDPR. Proper record keeping is therefore essential.

International data transfers

Chapter 5 of the GDPR regulates the transfer of personal  data to third countries or international organisations. Where a business is transferring personal data outside the UK or the EU it will need to ensure it meets the requirements of chapter 5 of the GDPR, ensuring the recipient country has an adequacy decision in place or another valid transfer mechanism, known as ‘appropriate safeguards’, is in place to safeguard the data transfer. It is important that businesses review their current data transfers outside of the UK or the EU, both intragroup and via third party providers, and ensure that they are compliant. Businesses should seek expert GDPR advice if unsure about compliance with international data transfer mechanisms.

Mandatory data protection officers

Many businesses now find themselves subject to the requirement to appoint a data protection officer (‘DPO’) with the relevant ‘expert knowledge of data protection law and practices’. Businesses have carried out the necessary analysis to determine if they are required to appoint a DPO.

 

GDPR Advice Credentials

  • Advising a ‘household name’ UK automotive sector company on its preparations for the GDPR. Our role is ongoing and ranges from strategic input on the client’s risk-based approach to identify priority areas for preparation through to preparing suites of GDPR compliant data processing agreements.
  • Advising a Tokyo Stock Exchange-listed, multi-billion dollar turnover Japanese financial services company on preparing for the implementation of the GDPR. Our role is multi-faceted, requiring us to advise the client on complex issues arising in connection with the the extra-territorial application of the GDPR, cross-border data transfers, data security measures, global personnel management, handling sensitive data, and privacy impact assessments.
  • Advising a ‘household name’ UK leisure sector company on its preparations for the GDPR. Our role is broad and encompasses advising on data mapping, cybersecurity, acting as a ‘sounding board’ for applying the risk-based approach to identify priority areas for action, analysing the requirement for a data protection officer, and reviewing arrangements with core IT systems providers.
  • Advising a Tokyo Stock Exchange listed, multi-billion dollar turnover technology services provider on complex cross-border data transfer compliance issues under current EU data protection law and ‘future proofing’ the arrangements under the GDPR. The matter related to the client’s provision of support services to a major Japanese healthcare company and its EU subsidiaries as part of a large-scale IT outsourcing project.
  • Advising a venture capital backed developer of a new social media app on structuring the app and service to be compliant under the GDPR, with particular focus on privacy by design and by default, use of children’s data, and data portability.
  • Advising a Tokyo Stock Exchange-listed, multi-billion dollar turnover Japanese industrial conglomerate on a major project to prepare for the implementation of the GDPR. We are acting as lead project counsel for the EU on all aspects of the project including:

– Delivering a data awareness training session to senior UK management covering the existing EU data protection and cybersecurity regime and changes to be brought in under the GDPR.

– Undertaking a full data audit of the client’s UK subsidiaries including conducting interviews across core business teams and reviewing policies and contracts with third party providers.

– Comprehensive reporting on the outcome of the data audit.

– Formulating a structured programme of detailed recommendations for GDPR preparation.

– Supporting the client on implementing our recommendations in the UK. – Coordinating and working together with the client’s local legal advisers to extend the data audit and recommendations to its other European subsidiaries in multiple EU countries including France, Germany, Spain and Italy.