istock-997693934

Brilliantly Simple

Guide to the GDPR

It’s not often that a piece of regulation affects everyone in business, but the General Data Protection Regulation (the “GDPR”) does. BPE recognises the importance of the GDPR, the biggest change to our national data protection laws for 20 years.

We have developed an extensive knowledge of the GDPR, as well as the Data Protection Act 2018, the new Data Protection Regulations and the ePrivacy Regulations, the latter of which deals specifically with cookies and electronic marketing.

We appreciate that compliance with the new privacy and security requirements is a cost that businesses could do
without, which is why our services are designed to prioritise the areas that are most likely to generate complaints, and
leave the less-critical areas to be developed and implemented over a longer period of time.

We look to apply the law to specific practical situations wherever possible to help make subject matter understandable and digestible by
non-legal professionals.

What is the GDPR?

The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, provides a legal framework for keeping everyone’s personal data safe by requiring companies to have robust processes in place for handling and storing personal information. It’s also designed to protect us as individuals from being contacted by organisations without our express permission.

Why Does it Matter?

The GDPR is bigger than its predecessor, the Data Protection Act 1998 (DPA 1998), and ushered in a wave of new rules which are significantly different in certain areas, such as:

  • a wider definition of ‘personal data’ which covers more information than ever before;
  • data processors (i.e. firms that process personal data on behalf of another business, such as an outsourced payroll service) will be required to comply with the GDPR, whereas they weren’t required to comply with the DPA 1998;
  • businesses based outside of the EU will have to comply if they offer goods or services into the EU (one to watch post-Brexit!);
  • when obtaining ‘consent’ from individuals, it must now be explicit and specific - it’s all about ‘opting in’ (and knowing exactly what we’re signing up for) rather than ‘opting out’. The old rules placed the onus on the individual to ask to be removed from a mailing list. In future, businesses must ask for consent from the very start;
  • a duty to report data breaches to the Information Commissioner within very strict timeframes;
  • a new ‘right to be forgotten’;
  • the statutory need for certain businesses to appoint data protection officers, responsible for overseeing the new requirements for record-keeping and data impact assessments;
  • an easier process for individuals to claim compensation from a non-compliant business; and
  • tougher penalties for non-compliance.


Who Needs to Know?

This is a matter of governance, so it should be on the Board’s agenda. As well as operational policies for marketing teams and data handlers, firms may be required to appoint data protection officers and conduct privacy impact assessments. The content of trading contracts between businesses has become more complicated. So HR, operations, business development, and marketing should all be involved, and everyone in the business who uses data should be aware of how to comply.

While some industries will be more obviously affected than others – those in the direct marketing industry, consumer-facing businesses, firms that trade internationally, through e-commerce or that hold huge customer databases – the GDPR will touch every business to some degree.

 

Five Things to Check Now

Here are five things that you need to address, if you haven’t already.

  1. Information held: do you know what personal data you currently hold, where it came from and what it is used for? If not, carrying out an information audit will help identify areas for reform;
  2. Privacy notices: check your current privacy notices (the statement that describes what you use data for), do they meet GDPR requirements? Remember they should be kept under continuous review and updated when something changes;
  3. Rights: ensure that your procedures cover all the rights of an individual, including how data would be provided in response to a request or how you might action a request for erasure;
  4. Gathering consent: does how you gather and record consent comply with the GDPR?
  5. Information for children: storing information on children requires parental or guardian consent, have you put in place adequate verification of individuals’ ages to facilitate the proper consent procedure?

istock-1224500457

Get in touch

Talk to us about your legal challenges and discover how our expert, pragmatic legal advice and broad commercial acumen can help.