Change is Coming


As IT systems have developed over the years, governments have created legislation to safeguard the privacy of their citizens. The European Union’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, when it replaces the UK Data Protection Act 1998 (1998 DPA). As the deadline is fact approaching, compliance is not a matter of choice or a matter of just ticking a few boxes.


The new regulation consists of 173 Recitals and 99 articles. The articles form the wording and instruction of the regulations and the recitals provide clarification to their meaning. This regulation impacts anyone in or from the EU and so will apply to UK and other EU companies. The regulation automatically became incorporated in UK law as it was passed when the UK was still a member of the EU.

The GDPR is far more detailed and specific than the 1998 DPA in that it puts the onus on the data controller to make sure they have the correct permission before using the data. The rights given to consumers within this new regulation include the right to have their data deleted and the right to request that their information be changed if it is wrong. Data subjects will also have the right to request their data in a common format that would make it easy for them to pass on that information to another provider. This would need to be provided within 30 days. The requirement to present data in a common format may create challenges for many companies as they decide which format will be suitable.

So far, the main concern for companies has been the large revenue-based fines that have been set out for non-compliance with the new regulations imposing penalties of €20 million or 4 per cent of the company’s global annual turnover. With potential fines such as these it is important for businesses to put in place processes to enable them respond to and mitigate such risks.

In the recent case of Vidal-Hall v Google litigation, it was claimed that Google, though its use of internet ‘cookies’, misused the claimant’s private information by offering it to advertisers who used it to target advertisements which were displayed on the claimant’s computer screens. The claimant sought damages for distress and anxiety caused by the breaches. This right is also present in Article 82 of the GDPR which provides the right to compensation for both “material” and “non-material” damage caused by infringement.


As GDPR does not only affect the IT department but has an impact on the whole structure of the company, this discussion needs to be taken to the boardroom. With the average GDPR-readiness scoring at 4.1 out of 10, it is apparent that more work needs to be done. Here are some tips to help you get started:

  1. Research what other organisations have done, particularly those in your sector

  2. Build staff awareness – Team compliance and training will make the transition much smoother for the whole team

  3. Check on your suppliers - Make sure that your suppliers or data processors are either already compliant or are making changes that will be effective by the deadline

  4. Conduct a Data Inventory Exercise - Go through the companies process for collecting data step by step and you should start to see loopholes and areas which need to be reviewed in order to comply with the new regulations

It is not too late to start.

Just take it one step at a time and to your surprise you will become a GDPR expert!

For more information:

https://www.scotsman.com/news/opinion/james-mcgachie-get-ready-for-gdpr-or-you-may-suffer-consequences-1-4673865

http://www.computerweekly.com/news/252433683/Two-thirds-of-startups-ill-prepared-for-GDPR

https://www.carter-ruck.com/news/read/vidal-hall-v-google-goes-to-the-supreme-court

http://www.corporatecomplianceinsights.com/5-challenges-companies-must-address-now-prepare-gdpr/

https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation

Solinda Nyamutumbu is a legal intern at Pure Business Law. She is an LLB Graduate from The University of West England as of July 2017 and began her LPC/MSc course at The University of Law (Bloomsbury) in September 2017 as a part-time student. She has greatly enjoyed the varied and in-depth commercial experience which she is gaining during her internship at Pure Business Law.



1 view

CONTACT US
 

Telephone: 

01234 938089/938090 (Bedford Office)

    0207 846 0123 (London Office)

 

Mobile: 07955805959
 

Email: 

enquiries@purebusinesslaw.co.uk

 

Appointments are available in the office, by telephone or video conference with Skype.

OUR OFFICES

 

 

                                                   

London Office:

3rd Floor

86-90 Paul Street

London EC2A 4NE   

Bedford Office:

Excel House

3 Duke Street 

Bedford MK40 3HR   

FOLLOW US

  • Black Facebook Icon
  • Black LinkedIn Icon
  • Black Twitter Icon

Pure Business Law is the trading name for Pure Business Law Ltd-a private limited company registered in England & Wales with company registration number 10405413. Registered office and Principal place of business : Excel House, 3 Duke Street, Bedford. MK40 3HR. VAT number 265 5386 75.

 

 

Pure Business Law is authorised and regulated by the Solicitors Regulation Authority (SRA number 635679)- we are governed by the SRA's  professional rules which may be found at www.rules.sra.org.uk. A list of our directors is available on request.  The term "director" denotes a shareholder or director of the company or an employee or consultant who is a lawyer with equivalent standing and qualifications. Calls may be recorded for security and training purposes.

 

Terms and Conditions   |   Privacy Notice , Disclaimer  & Cookie policy