GDPR. It is a term which can strike fear into compliance teams, owner-managed businesses and whole industries across the land. Not a week goes by without a data breach of one form or another featuring prominently in our newspapers and across the various news channels.
But with headline-grabbing reports of companies due to be fined ‘up to 4% of annual turnover or 20m Euros’ once the Regulations are in force, data protections rules sending companies out of business and entire operations having to temporarily cease in order for the business to implement the Regulations, just how much truth is there behind these tales? Will the GDPR have such a radical effect or are the stories purely rumour, speculation and conjecture?
Grant Usher, Associate, offers his take on GDPR and helps separate the fact from the fiction.
“Undoubtedly the GDPR has the potential for huge penalties to be issued to businesses, but commentators need to give more thought and context to the realities of the Regulations. Beyond the headlines, the rumours and the myths, there is another side to the GDPR, one which intends to improve existing data protection legislation which, currently, is outdated and requires enhancement in so many ways.
The Information Commissioner’s Office (‘ICO’) is not out to punish businesses, it is there to encourage data protection compliance for the good of all businesses, industries and consumers. The ICO has expressed that it shall use its powers proportionately and that fines will only be issued where necessary and appropriate.”
All businesses must appoint a Data Protection Officer (‘DPO’).
This is not the case, albeit earlier drafts of the Regulations initially indicated it would be. DPOs are still mandatory in some cases however, for instance if the organisation is a public body or processes data on a ‘large’ scale.
The DPO, where appointed, must be independent. This does not mean you have to appoint somebody externally, they can be an existing employee. The role can be part-time or combined with other duties, but in performing the role the DPO must have an independent reporting line. As with most compliance officers, the DPO must be empowered and must report directly to the Board without interference.
As a data processor, I have no responsibility. The onus is solely on the Data Controller to be ‘GDPR compliant’.
Data Processors will have direct legal obligations and responsibilities, which means that data processors can now be held liable for data breaches for the first time. This means all contracts with Data Controllers (i.e. suppliers, for instance) need to be reviewed to ensure that the suppliers are ‘GDPR compliant’.
All data held by the business is encrypted. Therefore, I do not need to worry about being penalised.
Whilst security measures are vital, fines can be levied for an infringement of the data controller’s or data processor’s obligations under the GDPR and not just for data security breaches.
Once we leave the European Union, GDPR will become defunct.
The Regulations are here to stay, at least in one form or other. Even when the UK leaves the European Union, the ICO has announced that it will be taking the GDPR into UK legislation, so the UK will have its own version of GDPR. Compliance for the UK equivalent is likely to be at least as stringent as the EU version.
The ICO will hit all companies breaching GDPR with a huge penalty.
The ICO has indicated that they shall use their increased powers proportionately and judiciously and fines will not be issued in the case of every infringement. Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.
The ICO’s motto in this regard is ‘tell it all, tell it fast, tell the truth’.
A business must have consent if it wants to process personal data.
This is not the case. A Data Processor must have an alternative lawful basis for processing data such as processing the data with a legitimate interest, carrying out a task in the public interest or needing to comply with a legal obligation.
GDPR is an unnecessary burden on organisations.
GDPR is an evolution, not a revolution. Yes, the Regulations demand more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals, however GDPR builds on the foundations already in place for the last 20 years since the introduction of the Data Protection Act.
All data breaches will need to be reports to the ICO.
It will be mandatory for a business to report a personal data breach under the Regulations if it’s likely to result in a risk to an individual’s rights and freedoms (i.e. if a particular individual can be identified).
Data breach reporting is about punishing organisations.
Personal data breach reporting has a strong public policy purpose. The law is designed to push businesses to step up their ability to detect and deter breaches. The ICO’s mind-set is not to punish organisations, but to make them better equipped to deal with security vulnerabilities.
Personal data that is already in our database is not subject to the GDPR.
The GDPR applies to personal data, regardless of when that data was collected. If the data was collected before the GDPR goes into effect (May 25, 2018), the business and relevant data will still be subject to GDPR requirements.
If the data can identify an individual who was in the European Union at the time the data was collected, be it via their name, address, contact details or similar, that data will be within the scope of the Regulations.
How Can Verisona Law Help Me and My Business?
At Verisona Law, we can assist you and your business in preparing for the GDPR and ensuring your business is compliant by:
- Reviewing your business’s internal data protection and privacy policies;
- Reviewing your business’s terms and conditions;
- Reviewing your business’s commercial agreements with customers, suppliers, distributors and suchlike;
- Providing training to your business’s staff and board members.
If you would like further information, please contact Grant Usher (Associate) at email@example.com or via telephone on 023 9231 2058.
- Sale and purchase of business, asset and shares
- Business start-ups and SME’s
- Management Buy-Outs (MBO’s) and Buy-Ins (MBI)
- Share buy backs
- Due diligence
- Company re-organisation and re-structuring advice
- Shareholders’ and partnership agreements
- LLP and Partnership advice
- Shareholder disputes
- Drafting inter-creditor, facility, guarantee and other security agreements
- Subordination and priority arrangements
- Advice on personal and corporate guarantees
- Joint ventures and collaboration agreements
- Terms and conditions of sale or purchase for goods/services
- Agency and distribution agreements
- Non-disclosure agreements (NDA)
- Bespoke trading agreements
- Intellectual property protection
- Incorporation of limited liability partnerships and companies
- Creating and/or maintaining statutory registers, minute books and share certificates
- Preparing board minutes, resolutions and notices
- Assisting with your confirmation statement
- Drafting or amending Articles of Association
- Dissolving or striking companies off the register
- Implementing changes to your share capital
- Drafting and filing of Companies House forms.
“The (Corporate and Commercial) team did Verisona Law proud. I really appreciate all your assistance throughout the transaction.”
Director of a Groundworks and civil engineering business, June 2018
“I would just like to say a very big thank you to you for all of your amazing hard work and patience during the course of the sale. Myself and the family very much appreciate it.”
Exiting shareholder of an IT company, July 2018
“Thank you for all your work in dealing with the acquisition, your advice has been really helpful.”
Seller of a healthcare business, January 2019