Cookie PolicyWe use cookies to enhance your experience while using our website. We will take your continued use of our website as consent to our use of cookies.

 

      

Legal 500 Awards

Awards

501592-Data-protection-web-Banner-1170x160-300.png

Data Protection & Regulation

Lupton Fawcett provides a full range of advice on data protection and regulation.  This is an area with significantly increased relevance to many businesses and other organisations, due to the adoption of the General Data Protection Regulation (GDPR). 


This new EU framework will be applicable to all Member States without the need for national legislation and contains some onerous obligations, many of which will take considerable time and effort to prepare for.  Non-compliance will have serious penalties in the form of fines. These fines will be much higher than the previous maximum UK penalty for a data protection breach, which is £500,000.  The new GDPR maximum will be €20m, or 4% of an organisation’s global turnover (if higher).

Now is the time to act, to assess your compliance and to formulate a plan of action whilst time is still on your side. 

What can Lupton Fawcett do to help? 

We can help you address the steps you will need to take to ensure your GDPR compliance including: 

If you are facing an ICO investigation or associated court hearings we are able to advise and represent you. 

GDPR (EU General Data Protection Regulation) – what it is and key points to consider

Background

In April 2016, the European Parliament and the Council adopted the General Data Protection Regulation (GDPR). The Regulation will come into force on the 20th May 2018.

Following implementation, the Regulation will be in effect immediately throughout the EU, without requiring implementation by the EU Member States through national law. Whatever happens in relation to UK domestic law following Brexit, the GDPR will remain relevant for organisations in the UK that conduct business internationally.

 

Who does the GDPR apply to:

The GDPR applies to “controllers and processors”. The definitions are broadly similar to those under the Data Protection Act 1998 (“DPA”). The controller is the person who determines the purpose, and the manner in which personal data is processed. The processor acts on the controller's behalf. If you are subject to the DPA then you will likely be subject to the GDPR. 

 

What information does the GDPR apply to: 

As with the DPA, the GDPR applies to “personal data” but the definition is more expansive to reflect changes in technology and how information on people is collected. 

Personal data such as HR records, customer lists or contact details will be in many ways treated in the GDPR as under the DPA.  However, the GDPR applies to both automated personal data and manual filing systems where accessible according to specific criteria. 

Sensitive personal data (“special categories of personal data”) are broadly the same as under the DPA however now include genetic and biometric data.

 

Principles of GDPR 

Under the GDPR the data protection principles set out the main responsibilities for organisations, for example, that data is processed lawfully and collected only for specified, explicit and legitimate purposes, is accurate and appropriately secure. 

The principles are similar to those under the DPA but significantly the GDPR introduces an accountability requirement with a greater focus on the legal basis for processing personal data and transparency. 

You are expected to put into place comprehensive and proportionate governance measures to minimise the risk of breaches and to protect personal data. Practically this will mean more policies and procedures for organisations.

 

Consent 

The giving of consent is one of the gateways through which a controller can establish a legal basis for processing personal data. Under the DPA controllers have flexibility to determine how data is used and to control how data is shared if consent is based for example on an employment contract or by way of an implied consent. 

The definition of "consent" is much stricter under the GDPR. Consent should be freely given, specific, informed and unambiguous. Implied consent (e.g. not responding to a request) or processing for “legitimate interests” will not be sufficient. 

Consent must be explicit so if consent is to be given in a written document it must be made in a manner which is clearly distinguishable from other aspects of the document.

 

Data Subject rights 

The GDPR strengthens rights that exist and creates new rights: 

  • The right to be informed on what data is being processed, typically through a privacy notice which will now need to include detailed information;
  • The right to access their personal data (the £10 charge is removed – unless the request is manifestly unfounded or excessive - and information must now be provided within 1 month);
  • The right to rectification if data is inaccurate or incomplete;
  • The right to erasure: this is known as the “right to be forgotten”. The former threshold test under the DPA for erasure of data is removed, strengthening a data subject’s rights to require a controller to delete data files if there are no legitimate grounds for retaining them.
  • The right to restrict processing: under the DPA individuals have the right to block the processing of data, for example when the accuracy of personal data is contested. The GDPR applies a similar principle.
  • The right to data portability: the GDPR introduces a new right to data portability and allows individuals to move, copy or transfer personal data easily between one IT environment to another in a secure and safe manner;
  • The right to object: individuals have the right to object to processing on grounds relating to his or her particular situation unless there are compelling legitimate grounds for processing.
  • Rights relating to automated decision making and profiling: The GDPR provides safeguards for individuals against the risk of a decision being taken without human intervention.  

 

Data Processors 

The GDPR tightens the rules on the use of data processors and directly regulates data processors for the first time, extending the formal contractual requirements needed between data controllers and data processors. Under the DPA only data controllers have liability to data subjects for compliance. Under the GDPR data processors will also have a duty to comply and potential liability if they fail.

 

Governance 

The GDPR increases responsibility and accountability on organisations to manage how they control and process personal data. This complements the transparency requirements. 

Organisations are expected to put in place comprehensive and proportionate governance measures. The measures include: 

  • Keeping a detailed record of processing operations;
  • Conducting a privacy impact assessment;
  • Designating a data protection officer (“DPO”) if required (this only applies if you are a public authority, carry out large-scale systematic monitoring of individuals, or carry out large scale processing of special categories of data). If appointing a DPO is not a requirement for your organisation you must still ensure someone has the skills to discharge the organisation's obligations under the GDPR;
  • Notifying the Regulator of data breaches. Mandatory notification promptly and at the latest, within 72 hours is a significant new measure imposed by the GDPR. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data;
  • Implementing “privacy by design and default”. Under the GDPR organisations have an obligation to implement technical and organisational measures to demonstrate that you have considered and integrated data protection into your processing activities.

 

Enforcement 

The regime under the GDPR provides for regulators to impose greater financial sanctions than under the DPA which will be up to 4% of the annual worldwide turnover of an organisation. 

The GDPR will be applied consistently across all member states thereby creating uniformity of approach in imposing sanctions for breach. 

The significant financial consequences for data security breach under the GDPR will necessitate businesses implementing clear policies and procedures to mitigate operational risk. 

 

How Lupton Fawcett can help with GDPR compliance 

  • Audit of your data protection practices 
    • We will visit your premises and interview the key personnel who manage data in your organisation.
    • We will view the physical and digital arrangements that you have for storage of documentation.
    • We will review your key data protection policies, consent forms and other documents.
    • We will review your key data protection statements on your website. 
  • We will provide you with a report of the steps you must take to become GDPR compliant and how you can achieve them
    • Following our audit visit, we will draft a full audit report.
    • We will highlight the areas where you are compliant with data protection legislation.
    • We will highlight any areas where your processes and arrangements fall short of the requirements of the data protection legislation.
    • We will recommend the steps that you should take to ensure that you are fully compliant with the data protection legislation.
  • We can prepare all policies, notices, consent forms etc you will require to ensure GDPR compliance
    • Data protection policies
    • Fair processing notices
    • Consent forms
    • Electronic consent forms/email consent forms/web consent forms
    • Subject access request documentation 
  • We will advise you about your obligations concerning the transfer of data to foreign locations and provide guidance on the steps and limits you must implement to ensure compliance
    • We will review your current contracts and advise on any amendments to be made.
    • Where necessary we will provide further contractual documentation. 

Further Reading

Contact us for help

To speak to a solicitor about our GDPR services or for advice, call us on 0333 323 5292, or download our team sheet. Alternatively, send us an email or complete the form below to let us know that you would like to hear from us.

Get in Touch

With Lupton Fawcett on your side, you're taking control. Contact us today.

Enquiry Form

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at dataprotection@luptonfawcett.law

 Yes
 No
Get in Touch