The General Data Protection Regulation (GDPR) sets the standards for processing personal data in the EU. The GDPR has recently been incorporated into UK law by the introduction of the Data Protection Act 2018.
The new data protection regime strengthens the rights of individuals, increases the enforcement powers of supervisory authorities (such as the Information Commissioner’s Office) and imposes new obligations on organisations which process personal data. If you collect, store or use personal data, the data protection regime affects you.
You need to be clear about what personal data you hold about people, how that data is being used and how long it will be retained. You also need a legal basis for processing that data. Be aware that personal data includes anything that could identify a person, so names, addresses and email addresses, as well as cookies, IP addresses and telephone numbers.
The penalty for a data breach under GDPR is up to €20 million or 4% of annual global turnover – whichever is higher.
Talk to us about:
- Bespoke privacy and data retention policies
- Data sharing agreements (data controller to controller arrangements)
- Data processing agreements (data controller and data processor arrangements)
- Review and updates to data protection provisions in existing contracts
- Record of processing activities
- Bespoke employee privacy notices
- Employee handbook privacy policies
- Bespoke subject access request response procedure
- On-site training sessions for managers
Some of the key things to demonstrate GDPR compliance include:
- If you rely on consent as your legal basis, it must be given freely, via a clear affirmative action.
- You’ll also need a retention policy as it is crucial that you only keep personal data for as long as it is needed for the original purpose it was provided for.
- Your employment contracts and staff handbook need to be updated to ensure clarity about what data you are holding, why you are holding the data and how long you will retain it for.
- All written contracts with third parties which process personal data on your behalf need to be reviewed. In these circumstances, you are the data controller and the third party is the data processor and you will need to include in your contract certain clauses prescribed by GDPR.