The recent international cyberattack has brought data protection issues into the thinking of business owners everywhere and onto the front pages of newspapers around the globe. With the ever-increasing threat of cyberattacks and the ever-growing amount of personal data gathered by organisations, legislation is now fighting back, with demanding data protection requirements and substantial fines for non-compliance. Grant Usher, Associate, discusses the upcoming changes to data protection law and what your business can do to remain compliant.
“The greatest challenge as a Corporate & Commercial solicitor is ensuring that our clients are aware of the abundant changes in data protection law which come into force in 2018, so that they and their businesses are as ready as they can be for when the new laws come into force.”
What Will Change In My Business?
As of May 2018, the General Data Protection Regulation (GDPR) – legislation from the European Union - will take effect and will replace the Data Protection Directive. Whilst some commentators are questioning whether the GDPR is here to stay in light of Brexit, Grant offers a note of caution.
“Whilst the terms of Brexit are still to be agreed, the GDPR will apply from May 2018 until the date Britain leaves the European Union and is likely to substantially be retained thereafter. Therefore, compliance with the GDPR remains vitally important.”
The GDPR will introduce various changes to businesses, including:
- There will be no need to register a business with the Information Commissioner’s Office (ICO).
- The GDPR will extend to businesses who offer goods and services in the EU but themselves are based outside of the EU. Even in the case of a ‘hard Brexit’, the new rules will affect British businesses if they process data of individuals based in the EU.
- Businesses must demonstrate compliance by documenting decision making processes and following documented procedures. Compliance must be seen to be undertaken by a business.
- Businesses will be expected to build data protection into the design of their systems, to ensure the amount of data collected is minimised, that it is held for only the specific purpose for which it was obtained and that it is retained for no longer than strictly necessary.
- The GDPR puts an expectation on businesses to undertake ‘regular’ assessments of the data they held. How regular the assessments should be is still unclear.
- Data protection breaches, such as sending emails to the wrong person and losing confidential documents, laptops or other devices, must now be reported to the ICO within 72 hours of the breach. Records must be kept of all data breaches and the action taken by the business.
The GDPR also tightens regulations on ‘data processors’ (i.e. staff or an outsourced entity that provides banking, HR, payroll or cloud services, for instance). From May 2018:
- The data processor can only process personal data if it has written instructions from the business setting out the precise processing activities to be commenced.
- The data processor will have a responsibility to notify the business of any data breach of which they become aware. The data processor will be answerable and must demonstrate data protection compliance to the business.
As Grant explains, whilst the above changes may appear onerous to business owners, it is important to remember the penalties for failure to comply.
“The GDPR brings in a far tougher regime than is currently in force. The maximum penalty for non-compliance at present is £500,000. Under the GDPR, this is being extended to the higher of 20m Euros or 4% of the business’s worldwide turnover.
The GDPR’s penalties are harsh for a reason – the drastic change in maximum penalties may not always mean higher penalties in practice, but it is more likely to focus the mind.”
What Can My Business Do To Prepare For The Changes?
Whilst compliance with the GDPR can appear time-consuming and potentially expensive, there are some ‘quick and easy’ fixes which shall go towards demonstrating compliance with the new data protection regime.
- Ensure key personnel and decision-makers are aware that the law is changing and the impact this shall have on the business. Ensure that this message filters down to all members of staff.
- Designate an individual who shall take responsibility for data protection compliance.
- Review the business’s privacy and data protection policies and plan for any necessary changes ahead of May 2018.
- Educate all members of staff on what personal data is, what each individual’s obligations are and how they can report a data breach.
- Document what personal data the business currently holds, where it originated from and who it is shared with. This may, in turn, require a more complete information audit.
While there is clearly much work to be done to prepare for the GDPR, Grant explains it is equally about a business’s culture and commitment to be compliant as it is about processes and policies.
“Without buy-in from Board level down to everyday staff, compliance with the GDPR will be very difficult. Token responsibility from directors is not enough. Significant engagement with all staff on the GDPR; regular meetings, items on management team agendas and establishing reporting lines from staff to senior figures is vital. Non-compliance with the GDPR is a focal area of risk - regulatory, legal, operational and reputational.”
By having solid internal processes, coupled with buy-in and awareness from all staff and sound advice from professional advisors, businesses can ensure they comply with the GDPR.
How Can Verisona Law Help Me and My Business?
At Verisona Law, we can assist you and your business in preparing for the GDPR and ensuring your business is compliant by:
- Reviewing your business’s internal data protection and privacy policies;
- Reviewing your business’s terms and conditions;
- Reviewing your business’s commercial agreements with customers, suppliers, distributors and suchlike; and
- Providing training to your business’s staff and board members.
If you would like further information, please contact Grant Usher (Associate) at email@example.com or via telephone on 023 9231 2058.
- Sale and purchase of business, asset and shares
- Business start-ups and SME’s
- Management Buy-Outs (MBO’s) and Buy-Ins (MBI)
- Share buy backs
- Due diligence
- Company re-organisation and re-structuring advice
- Shareholders’ and partnership agreements
- LLP and Partnership advice
- Shareholder disputes
- Drafting inter-creditor, facility, guarantee and other security agreements
- Subordination and priority arrangements
- Advice on personal and corporate guarantees
- Joint ventures and collaboration agreements
- Terms and conditions of sale or purchase for goods/services
- Agency and distribution agreements
- Non-disclosure agreements (NDA)
- Bespoke trading agreements
- Intellectual property protection
- Incorporation of limited liability partnerships and companies
- Creating and/or maintaining statutory registers, minute books and share certificates
- Preparing board minutes, resolutions and notices
- Assisting with your confirmation statement
- Drafting or amending Articles of Association
- Dissolving or striking companies off the register
- Implementing changes to your share capital
- Drafting and filing of Companies House forms.
“The (Corporate and Commercial) team did Verisona Law proud. I really appreciate all your assistance throughout the transaction.”
Director of a Groundworks and civil engineering business, June 2018
“I would just like to say a very big thank you to you for all of your amazing hard work and patience during the course of the sale. Myself and the family very much appreciate it.”
Exiting shareholder of an IT company, July 2018
“Thank you for all your work in dealing with the acquisition, your advice has been really helpful.”
Seller of a healthcare business, January 2019