All businesses collect and hold vast quantities of data about their customers and employees. That data is an important asset with many businesses relying on it to continue operating and can be a crucial aspect of valuing a business.
Data protection law aims to strike a balance between an individual’s right to privacy and the ability of organisations to use information about an individual for the purpose of their business.
In practice, this means that it is essential that all businesses have in place robust arrangements (both in terms of internal policies and procedures as well as contracts with its suppliers) to avoid data being lost, stolen, misused, damaged or destroyed prematurely. Any such incident could result in a large financial penalty, severe damage to the reputation of a business and a loss of confidence in it by its customers, employees and shareholders, as well as claims for compensation.
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and will replace the Data Protection Act 1998 which currently regulates the use of an individual’s personal data.
The significant increase in fines that can be imposed under the GDPR for non-compliance should be a huge incentive for businesses to ensure they are ready for the May 2018 deadline. For some breaches (for example those involving international transfers of personal data or failing to meet the conditions for processing data, such as obtaining valid consent), a business could be looking at a fine of up to 4% of annual worldwide turnover or EUR200 million. Other breaches could lead to a fine of up to 2% of annual worldwide turnover or EUR10 million.
Whilst businesses that currently comply with the Data Protection Act 1998 will have a good head start, the GDPR will bring some significant changes, which businesses need to prepare for.
We can help by:
Advising on what businesses need to do to comply with the GDPR and assisting with preparations;
Drafting and reviewing commercial contracts in relation (whether solely or partly) to processing of data to ensure they comply with the GDPR;
- Advising on how to deal with data subject access requests;
- Drafting data protection policies;
- Drafting privacy notices;
- Advising businesses following a data breach;
- Advising on data protection projects;
- Assisting with Privacy Impact Assessments;
- Conducting data protection audits;
- Ensuring staff are properly and appropriately trained;
- Advising on employment issues arising from data protection.