Gregor Kleinknecht and Petra Warrington discuss the new GDPR EU Regulation

  • June 15, 2017
  • By Hunters Law

GDPR: data protection version 2.0

The acronym GDPR does not exactly roll off the tongue, but anyone running a business, or processing personal data in any other capacity, whether as a charity, educational institution, membership organisation or employer, must familiarise themselves with it sooner rather than later.

The new General Data Protection Regulation (GDPR) is an EU Regulation that will take direct effect in all EU Member States, including the UK, on 25 May 2018.  In the UK, the GDPR will replace the Data Protection Act 1998 (1998 Act).  For the EU, the GDPR forms part of a bigger picture: the project of creating the digital single market.  It is generally anticipated that, following Brexit, the GDPR will be incorporated into UK national law and continue to apply without significant changes.

The current data protection regime pre-dates the digital age with its social media platforms, cloud computing, e-commerce, online banking, content streaming, computerised patient records, etc, and was simply no longer considered fit for purpose in an increasingly online and globalised world.  Moreover, large scale and well-publicised data breaches in the telecommunications and banking sectors have recently put data protection and security at the forefront of many consumers’, businesses’ and governments’ minds.

The GDPR is aimed both at harmonising and enhancing the regulatory framework governing data privacy across the EU, and at transforming the approach organisations take to protect citizens (called ‘data subjects’) from infringements of privacy law.  The GDPR will provide greater data protection for EU citizens in an increasingly digital, technological and globalised world and should be welcomed.  Examples where the GDPR will make a practical difference are data subject consent to data processing and profiling.  Importantly, the GDPR recognises that data flows no longer stop at national borders. The new rules will therefore apply to the processing of personal data of any person who is in the EU, even if the data controller or processor is not established in the EU.  In plain English, this means that social media companies based in the US will have to comply with the GDPR if they process the personal data of anybody who lives in the EU.

The UK is given an element of discretion as to the implementation of the new data protection regime, and can make additional provision in relation to some issues.  One such issue is the age at which a child can validly consent to the processing of their personal data, where information society services are offered directly to that child.

Anybody who processes personal data must start preparing now.  The Information Commissioner’s Office (ICO) is developing guidance on the implementation of the GDPR and has already published a very useful guide: Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now.  Hunters Solicitors is working with clients to audit what personal information they collect and how they process it.  The next step will be for the firm to assist clients with reviewing and updating their privacy and data protection policies, and their terms and conditions of business, to ensure compliance of their data processing and protection procedures with the new rules.  Businesses must also start planning ahead for what should happen in the event of a data breach, and familiarise themselves with who they must report a breach to.

In order to reduce red-tape for small businesses, the GDPR includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.  In addition, the EU institutions and Member States, and their supervisory authorities – such as the ICO in the UK – are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of the GDPR. However, there will still be a need for organisations to learn about the changes and how to implement them – invariably, implementing changes will cause disruption during a transitional period.

Not being ready to comply with the new rules when they come into force will not be an option.  In this increasingly security conscious world, companies will be at a major competitive disadvantage if they cannot guarantee customer/client data protection.  Equally importantly, the GDPR enables large fines to be imposed for breaches of data protection rules, and permits individuals and groups to bring claims for compensation if they have suffered damage as a result of non-compliance.  Acting now and developing a strong plan for implementing the new rules will be essential for all businesses.

Gregor Kleinknecht, Partner

Petra Warrington, Associate

Related News

Mar 17, 2021
Stephen Morrall comments on Uber drivers entitled to minimum wage, holiday pay and pension following the Supreme Court decision in The Sunday Times Driving, The Times and the Daily Mail
Feb 19, 2021
Stephen Morrall comments on Uber losing a landmark Supreme Court battle in the Evening Standard and the Financial Times
Feb 12, 2021
Richard Baxter and Hannah Solel examine data protection post-Brexit in Information Security Buzz
Feb 05, 2021
Budget 2021 – Still time to prepare for any changes to Business Asset Disposal Relief
Jan 13, 2021
Stephen Morrall and Hannah Solel discuss the gig economy in 2021 in Employee Benefits
Jan 11, 2021
Richard Baxter and Hannah Solel provide a legal update on data protection in 2021
Jan 06, 2021
Stephen Morrall comments on unfair dismissal in Real Business
Dec 14, 2020
Hunters strengthens its Business team with new arrival
Jun 25, 2020
Stephen Morrall and Philippa Kum discuss witnessing a deed remotely
Jun 01, 2020
Amanda Lathia examines the legal challenges of returning to work during the post-COVID-19 lockdown in WealthBriefing

© Hunters Law LLP 2021 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure.

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)