In May 2018, the European Union General Data Protection Regulation (GDPR) will come into force affecting all member states of the EU. In this article our consultant Kelly Loydon highlights what GDPR is all about and what it means for businesses across Europe.
UK readers, before you breathe a momentary sigh of relief, not even Brexit will save you from GDPR. The new regulation will still apply to all companies, big or small, across Europe and it is expected that following Brexit the GDPR will be mirrored in UK law such that the UK will continue to have to abide by these same rules even once Brexit is complete.
GDPR is one of the largest regulatory changes of the last 20 years and it affects all sectors, whether your business sits within commerce and industry or financial services. In a nutshell, the new regulations require all businesses to handle the personal data they collect better and, in order for businesses to hold data, individuals will have been required to specifically opt in their details. Companies can be held liable for data breaches and many contracts that businesses are currently abiding by will need to be updated as the liability of data processors increases. At present, data processors are only accountable for failure to comply with their contractual obligations to the data controllers they are engaged with and are not accountable to regulators or data subjects, which will be the case as of May 2018.
If that isn’t enough to encourage action, the fines for non-compliance are massive. Companies in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). This is a big increase from the current levels which stand at around £50,000 for any breach. What’s more, the regulations do not stipulate how a fine will be decided. All we know is that each case will be assessed separately and will not be linked to the interpreted severity of the breach but a holistic approach will be taken in each instance. Not only that, but there is also potential that individuals can claim for compensation for breaches of the GDPR, a worrying thought when industry experts are calling GDPR “the next PPI”.
As a result of these changes we have already been approached by a number of businesses looking to grow their legal teams with data specialist lawyers, or in some cases, hire their first Data Protection Officer (another stipulation of the regulation: every business must have a Data Protection Officer (DPO)). Many are looking to grow their teams in the longer term and others are looking for interim help in order to get their business 100% up to speed before the enforcement date in May 2018. Large corporates and other companies that handle significant amounts of data may already have a data protection focused team in place. However for GDPR there may be a need for sizeable teams of document reviewers to undertake a large scale review of documentation.
SSQ can also supply these professionals directly to businesses in the UK. If a client doesn’t have the technology or real estate in place to manage the reviews we are also partnered with a number of suppliers we would happily introduce to assist. Many businesses choose this option for large scale projects in order to have a dedicated team to deal with the very time consuming nature of reviewing contracts, leaving the core legal team the time to focus on business as usual matters and retain motivation.
The regulation doesn’t outline any qualifications requirements for DPOs to meet except “expert knowledge of data protection law and practices.” DPOs don’t have to be qualified lawyers; paralegals and other legally trained candidates with expert knowledge in this area will be a viable alternative. Either way having a specialist as part of your team will be very beneficial.
There are several compelling reasons why a legal professional could help with the heavy burden of GDPR including:
1. Under the new regulation, the definition of personal data is broader and as a result the risk of a breach is greater. Companies will need help to identify the information they have which puts them at risk and take steps to store it correctly. For instance, children’s data in particular will need to be handled extremely carefully. Consent must be obtained from parents to process such data. It is vital that a business establishes that consent has been given for all data as the new GDPR regulations stipulate that this must be clear.
2. Along with the right to consent, data subjects now have “the right to be forgotten” and businesses will need their DPO/data protection teams to guide them on how to deal with this.
3. Contracts between data processors and data controllers will need to be renegotiated. Whether that is the relationship between a company’s accountancy firm, cloud provider or payroll company, it is likely to affect everyone to some degree.
Having a dedicated resource on board to guide your business through these changes will provide the reassurance needed to navigate GDPR confidently. As a business, whether you decide to hire a qualified lawyer or another legal professional as an alternative, on either a permanent or contract basis, we can help you to source the resource that is right for you. If you are interested in hiring to get on top of GDPR please contact Kelly Loydon.