Gregor Kleinknecht and Petra Warrington discuss the new GDPR EU Regulation

  • June 15, 2017
  • By Hunters Law

GDPR: data protection version 2.0

The acronym GDPR does not exactly roll off the tongue, but anyone running a business, or processing personal data in any other capacity, whether as a charity, educational institution, membership organisation or employer, must familiarise themselves with it sooner rather than later.

The new General Data Protection Regulation (GDPR) is an EU Regulation that will take direct effect in all EU Member States, including the UK, on 25 May 2018.  In the UK, the GDPR will replace the Data Protection Act 1998 (1998 Act).  For the EU, the GDPR forms part of a bigger picture: the project of creating the digital single market.  It is generally anticipated that, following Brexit, the GDPR will be incorporated into UK national law and continue to apply without significant changes.

The current data protection regime pre-dates the digital age with its social media platforms, cloud computing, e-commerce, online banking, content streaming, computerised patient records, etc, and was simply no longer considered fit for purpose in an increasingly online and globalised world.  Moreover, large scale and well-publicised data breaches in the telecommunications and banking sectors have recently put data protection and security at the forefront of many consumers’, businesses’ and governments’ minds.

The GDPR is aimed both at harmonising and enhancing the regulatory framework governing data privacy across the EU, and at transforming the approach organisations take to protect citizens (called ‘data subjects’) from infringements of privacy law.  The GDPR will provide greater data protection for EU citizens in an increasingly digital, technological and globalised world and should be welcomed.  Examples where the GDPR will make a practical difference are data subject consent to data processing and profiling.  Importantly, the GDPR recognises that data flows no longer stop at national borders. The new rules will therefore apply to the processing of personal data of any person who is in the EU, even if the data controller or processor is not established in the EU.  In plain English, this means that social media companies based in the US will have to comply with the GDPR if they process the personal data of anybody who lives in the EU.

The UK is given an element of discretion as to the implementation of the new data protection regime, and can make additional provision in relation to some issues.  One such issue is the age at which a child can validly consent to the processing of their personal data, where information society services are offered directly to that child.

Anybody who processes personal data must start preparing now.  The Information Commissioner’s Office (ICO) is developing guidance on the implementation of the GDPR and has already published a very useful guide: Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now.  Hunters Solicitors is working with clients to audit what personal information they collect and how they process it.  The next step will be for the firm to assist clients with reviewing and updating their privacy and data protection policies, and their terms and conditions of business, to ensure compliance of their data processing and protection procedures with the new rules.  Businesses must also start planning ahead for what should happen in the event of a data breach, and familiarise themselves with who they must report a breach to.

In order to reduce red-tape for small businesses, the GDPR includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.  In addition, the EU institutions and Member States, and their supervisory authorities – such as the ICO in the UK – are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of the GDPR. However, there will still be a need for organisations to learn about the changes and how to implement them – invariably, implementing changes will cause disruption during a transitional period.

Not being ready to comply with the new rules when they come into force will not be an option.  In this increasingly security conscious world, companies will be at a major competitive disadvantage if they cannot guarantee customer/client data protection.  Equally importantly, the GDPR enables large fines to be imposed for breaches of data protection rules, and permits individuals and groups to bring claims for compensation if they have suffered damage as a result of non-compliance.  Acting now and developing a strong plan for implementing the new rules will be essential for all businesses.

Gregor Kleinknecht, Partner

Petra Warrington, Associate

Related News

Jun 13, 2019
Gregor Kleinknecht examines the transposition of 5AMLD into UK law in Discover Germany
May 29, 2019
Gregor Kleinknecht speaking at a seminar presented by the Union Internationale des Avocats: The Death of a Transaction
May 17, 2019
Gregor Kleinknecht writes for Discover Germany’s June magazine
May 02, 2019
Gregor Kleinknecht appointed by as a UDPR panellist for resolving domain name disputes
Mar 22, 2019
Amanda Lathia examines cross-border mergers between UK companies and those governed by the law of another EEA state in Lawyer Monthly
Mar 18, 2019
Gregor Kleinknecht discusses the new draft Directive on Copyright in the Digital Single Market in Discover Germany
Feb 27, 2019
Gregor Kleinknecht’s chapter on options for brand protection and dispute resolution in Growing Business Innovation
Feb 21, 2019
Stephen Morrall and Jonathan Godwin-Austen speak at The LAPADA Conference 2019
Feb 13, 2019
Gregor Kleinknecht discusses social media platforms and regulation in Discover Germany
Jan 04, 2019
Gregor Kleinknecht’s article on the new EU Geoblocking Regulation in Discover Germany

© Hunters Law LLP 2019 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)