The General Data Protection Regulation (GDPR) is a new data protection law which comes into force on 25 May 2018 and governs how businesses must handle and use personal data. Personal data means information relating to an identifiable individual. It covers everything from an individual’s home address to their HR and payroll information. Even the contact details of an individual placed in a CRM system purely to be used for B2B purposes amounts to the personal data of that individual. It is almost impossible to think of a business that is not handling some personal data.
The headline grabbing change is that, for a serious breach of GDPR, a business can be fined up to 4% of its annual turnover or EUR 20m (whichever is the greater!). This alone should be enough to persuade any business to ask itself what steps it is taking to comply. In practice, our view is that compliance with GDPR will become de rigueur through simple force of commercial pressure. For example, in respect of data processing, the regulations apply equally to both trading partners, so businesses in the EU will not be able to prove their own GDPR compliance if their (non-EU) trading partner is not GDPR compliant.
GDPR applies to any business that is “established” in the EU. Whilst the legal test for “established” can be quite complex, it is fair to say that if your business has employees based in the EU, it is likely to satisfy the test of being “established” in the EU.
GDPR will also apply to businesses established outside the EU, which sell goods or services to individuals in the EU or monitor the behaviour of individuals in the EU. Technically using tracking cookies (which many websites use) amounts to monitoring behaviour, so, in theory, vast numbers of non-EU businesses will be caught by GDPR!
Brexit will not impact upon the application of GDPR in the UK, and it will continue to apply in the UK once the UK leaves the EU. In the UK, GDPR has been described by the ICO (the UK body responsible for data protection enforcement) as an evolution rather than a revolution of existing UK data protection laws. That misses an important point because, in our experience, many UK businesses are not fully compliant with existing UK legislation. Typical examples where we see UK businesses not compliant with existing data protection laws include:
- Not telling individuals about the purpose for which the business is collecting their personal data. For instance, research published last year by the ICO revealed that 26 out of 30 retail websites they reviewed did not comply with existing law in relation to this area.
- Transferring personal data outside the EU. Except to a few specific countries such as Argentina, Switzerland and the Faroe Islands, personal data cannot be transferred outside the EU. For example, it is not possible to transfer personal data even between an EU subsidiary and a USA parent company. There are various ways around this but few businesses have implemented the work arounds.
- Using an individual’s personal data without that individual’s consent. Subject to some exceptions, it is not possible to use or do any act in relation to personal data without consent, yet consent is sometimes not obtained and, often where it is, the consent is inadequate.
All of the above law is repeated under GDPR in a more stringent form. If a business is not complying with existing data protection laws, then compliance under GDPR becomes much harder and the risk of incurring much heavier fines under GDPR is increased.
GDPR also introduces whole new areas of law including:
- A business must be able to demonstrate its compliance with GDPR. This includes implementing measures such as staff training and maintaining relevant documentation of its data processing activities. If a business has more than 250 employees, it must maintain additional internal records.
- A business processing personal data which is likely to lead to a high risk “to the rights and freedoms of individuals” must carry out and record data protection impact assessments.
- A business will need to put in place new procedures to ensure that personal data can be easily ported under the new data portability requirements or erased under the right to be forgotten.
- A business must comply with subject access requests within a reduced timescale.
- A business carrying out large scale data processing will, in many circumstances, be obliged to appoint a data protection officer.
- There are new rules for processing personal data of children and the consent that must be obtained.
- The data controller must ensure that anyone it engages to process data on its behalf, known as a data processor (for example a payroll services provider or a website host) provides sufficient guarantees as to its compliance with GDPR. In addition, GDPR requires that the contract between a data controller and a data processor contains a number of mandatory terms.
- A business must self-report within 72 hours any breach of the GDPR unless it is minor.
How Vistra can help with your GDPR compliance?
Through Vistra’s UK regulated law firm, Jordans Corporate Law, we can provide specific legal advice to businesses on any GDPR issue as well as undertaking a gap analysis to identify areas in which a business is not complying with GDPR. Vistra also offers an online supply chain relationship auditing tool, which automates the (potentially massive) task of surveying all the business’ trading partners, providing an automatic overview of risks and tracking the steps taken to achieve compliance. This tool is also useful in many other areas of supply chain monitoring and regulation, such as IT security, Sarbanes-Oxley, modern slavery and health and safety regulations.
Please contact Simon Bates, English qualified solicitor and executive director at Jordans Corporate Law, for further information.