Member Article

Act ahead of incoming data protection law

New European Union (EU) data protection rules which will become law in May 2018 will affect every business and organisation and cannot be ignored, according to Wake Smith Solicitors.

The EU’s new data protection rules will impact every entity that holds or uses European personal data, both inside and outside of Europe and breaches can incur heavy financial penalties, says the Sheffield law firm’s data protection specialist, Holly Dobson.

The General Data Protection Regulation (GDPR) was approved by the EU in January 2016. The UK government fed into the changes and despite Brexit, UK companies will have to comply with the regulations in order to trade with EU partners.

The final text of the (GDPR) was agreed in December 2015 after four years of political negotiations and lobbying involving all 28 EU member states.

Holly Dobson, said: “GDPR is a model change in the way that data collection and use is regulated. Regulators in Europe will ensure that citizens are protected by the most stringent data laws in the world and it would be a serious mistake for companies to act late in changing their procedures.

“Although 18 months may seem like a reasonable time to prepare for the regime, organisations will need to completely transform the way they collect and use personal information.”

One of the fundamental changes is companies which provide data services to other companies, known as data processors, will also be subject to the GDPR, and face the same hefty breaching fines, which will affect technology service providers in particular.

Holly added: “The GDPR will impact every data controller and processor that holds or uses European personal data both inside and outside of Europe. That could be health companies to research businesses, doctors’ surgeries to PLCs and local authorities.

“Businesses which are now not well versed with data protection requirements are going to have to gear up for GDPR.

“Companies will have to go through all their customer facing documentation, rewrite their terms and conditions, review clauses relating to data use and create separate documents on the capture, use and termination of data.”

A key element of the GDPR is not only increased compliance requirements, but heavy financial penalties for non-conformity - up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.

The fines apply to infringements of the basic principles for processing, including conditions for consent, data subjects’ rights, the conditions for lawful international data transfers, specific obligations under national laws permitted by the GDPR, and orders by data protection authorities including suspension of data flows.

Holly said: “The new enforcement, sanctions and remedies framework will give regulators unprecedented powers to intervene in business and shape how entities conduct their operations, including the power to impose these heavy fines.

“The GDPR will involve far more interface with a regulator. Data protection officers will be responsible for reporting breaches, demonstrating the auditing of processes and safeguarding.

“Organisations now face the challenge of having a really short time-frame to implement all the necessary changes to their systems and operations to meet the new compliance requirements.

“Changes will mean individuals can exercise a ‘right of data portability’, and will have clarity on the ‘right to be forgotten’ together with enhanced rights of access to their data and to demand the end of use of their data. They will also be able to sue entities for compensation.”

Holly, who has 10 years’ legal experience in data protection issues including advice on significant data breaches, says the GDPR adopts prescriptive rules around how organisations will need to demonstrate that they comply with the GDPR.

She said: “Businesses will genuinely have to adopt governance and accountability standards and not just pay lip service to data privacy obligations.”

Wake Smith will hold a free seminar on the GDPR on January 17 at its offices at No 1 Velocity, Sheffield from 8.30am. To book a place and for further details call Bridie Mulgrew on 0114 266 6660.

This was posted in Bdaily's Members' News section by Agent Public Relations .