email@example.com London – 020 305 68855 Cornwall – 01726 247047
GDPR stands for the General Data Protection Regulation. It was introduced to protect personal data and the rights of individuals as well as to ease the flow of personal data across the 28 EU member states.
The Regulation came into effect on the 25th May 2018 and brought significant changes to data protection law. At the same time, the government passed the Data Protection Act 2018.
Brexit will have no effect on the GDPR as it was enshrined into UK law with the Data Protection Act 2018.
Any organisation which processes and holds the personal data of data subjects residing in the EU must comply with the GDPR.
The Regulation will come into effect on the 25th May 2018 and will bring significant changes to data protection law.
Rules for obtaining valid consent to use personal information will become much tougher when the GDPR comes into force. Therefore, companies must ensure that consent is clear, affirmative, and in plain language. Companies must also make it easy for data subjects to withdraw consent if they wish to do so.
According to the Information Commissioner’s Office (ICO), organisations are expected to:
“….. put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
The Regulation came into effect on the 25th May 2018 and brought significant changes to data protection law. It applies to all personal data
Personal data means any information relating to an indentified or identifiable natural personal (“data subject”); an indentifiable natural person is who can be identified , directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The GDPR states that personal data must be:
All of your policies and processes must reflect these principles. We can draft all of your policies and processes and train you and your staff.
The GDPR have introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed. An organisation must self-report breaches to the ICO within 72 hours of the breach.
The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest.
Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million.
It is not necessarily compulsory for all organisations to appoint a DPO as this will be dependent upon a number of factors. According to the ICO, a company should appoint a DPO if they:
The EU’s Working Party 29 has stated that a DPO must be an expert in data protection law and must not be senior management, Head of IT, Head of HR or any post that has anything to do with the processing of data. The DPO must be objective and report to board level.
Typically organisation that will require a DPO include health care providers (doctors, dentists, chiropractors, physiotherapists etc) insurance companies, private security companies, marketing companies, charities etc.
Any organisation is able to appoint a DPO if they wish to do so. However, even if a company chooses not to appoint a DPO because the above doesn’t apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.
We can act as your DPO for as little as one hour a month.
There are eight fundamental rights of individuals under GDPR. Your organisation’s data protection governance will need to encompass these rights. The rights are:
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. Both will be liable if the processor has a data breach. Controllers will not be permitted to contract with processors who are not GDPR compliant, come next May.
The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing special categories of personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
Accountability is of primary importance under the GDPR. You must be able to provide evidence that your organisation is compliant so a range of policies and processes are required, along with IT security.
Yes you can but you should have an expert knowledge of data protection law and General Data Protection Regulation information. We can do a data protection audit, write all of your policies and train your staff. We can also act as your DPO for as little as one hour a month. Leaving your data protection to us will allow you to concentrate on your business.
Registration number: 10427754. Registered office: Central Point, Beech Street, London EC2Y 8AD.
VAT Registration number: 285986235