Organisations hold vast amounts of personal data relating to customers, employees, and suppliers as well as within marketing databases. Compliance with data protection laws is vital in order to avoid sanctions, loss of revenue and negative publicity.

The General Data Protection Regulation (GDPR) came into force in May 2018 and represents a significant overhaul of data protection legislation: the accountability principle will mean that businesses will need to examine how they hold and use data and take steps to demonstrate compliance with the data protection principles; implied consent is no longer acceptable, neither are opt outs; the heavily publicised right to be forgotten is now a reality and sanctions for breaches are significantly higher.

Our experts can help you navigate the impact of the GDPR – from data mapping, to gap analysis and risk assessment though to helping you consider the practical implications of the change in the law on a business’ processes and procedures.

Did you know?

GDPR impacts upon all areas of the business and, given the sanctions involved, needs to be dealt with at board level. It particularly affects the following teams: HR, Sales & Marketing, IT and procurement.

  • The principle of accountability makes GDPR a “boardroom issue”
  • Privacy by design and default requires the implementation of appropriate technical and organisational measures and means that data protection needs to be embedded into an organisation’s processes and policies
  • An organisation with more than 250 employees or whose processing activities are a high risk to an individual’s rights and freedoms, must maintain retain records of its processing activities
  • Potential maximum penalties of up to EUR20 million or 4% of global turnover, whichever is the higher
  • Additional penalties could include suspension of data processing, risk of class actions, criminal sanctions, and reputational damage
  • Expanded territorial reach could affect non-EU subsidiaries whose processing activities relate to the offering of goods and services to or, monitoring the behaviour of, EU data subjects
  • Controllers and processors outside the EU who process personal data relating to EU data subjects may have to appoint a representative within the EU
  • Processing agreements (including those for outsourced business functions such as payroll and cloud solutions) need to be revised to include the mandatory processing provisions
  • Processes need to be in place to meet the enhanced data subject rights such as the right to access, the right to rectification, the ‘right to be forgotten’, the right to object and the right to data portability
  • Data breaches must be notified to the supervisory authority (the ICO in the UK) within 72 hours and in some circumstances must be notified to the data subject