GDPR. It is a term which can strike fear into compliance teams, owner-managed businesses and whole industries across the land. Not a week goes by without a data breach of one form or another featuring prominently in our newspapers and across the various news channels.
But with headline-grabbing reports of companies due to be fined ‘up to 4% of annual turnover or 20m Euros’ once the Regulations are in force, data protections rules sending companies out of business and entire operations having to temporarily cease in order for the business to implement the Regulations, just how much truth is there behind these tales? Will the GDPR have such a radical effect or are the stories purely rumour, speculation and conjecture?
Grant Usher, Associate, offers his take on GDPR and helps separate the fact from the fiction.
“Undoubtedly the GDPR has the potential for huge penalties to be issued to businesses, but commentators need to give more thought and context to the realities of the Regulations. Beyond the headlines, the rumours and the myths, there is another side to the GDPR, one which intends to improve existing data protection legislation which, currently, is outdated and requires enhancement in so many ways.
The Information Commissioner’s Office (‘ICO’) is not out to punish businesses, it is there to encourage data protection compliance for the good of all businesses, industries and consumers. The ICO has expressed that it shall use its powers proportionately and that fines will only be issued where necessary and appropriate.”
All businesses must appoint a Data Protection Officer (‘DPO’).
This is not the case, albeit earlier drafts of the Regulations initially indicated it would be. DPOs are still mandatory in some cases however, for instance if the organisation is a public body or processes data on a ‘large’ scale.
The DPO, where appointed, must be independent. This does not mean you have to appoint somebody externally, they can be an existing employee. The role can be part-time or combined with other duties, but in performing the role the DPO must have an independent reporting line. As with most compliance officers, the DPO must be empowered and must report directly to the Board without interference.
As a data processor, I have no responsibility. The onus is solely on the Data Controller to be ‘GDPR compliant’.
Data Processors will have direct legal obligations and responsibilities, which means that data processors can now be held liable for data breaches for the first time. This means all contracts with Data Controllers (i.e. suppliers, for instance) need to be reviewed to ensure that the suppliers are ‘GDPR compliant’.
All data held by the business is encrypted. Therefore, I do not need to worry about being penalised.
Whilst security measures are vital, fines can be levied for an infringement of the data controller’s or data processor’s obligations under the GDPR and not just for data security breaches.
Once we leave the European Union, GDPR will become defunct.
The Regulations are here to stay, at least in one form or other. Even when the UK leaves the European Union, the ICO has announced that it will be taking the GDPR into UK legislation, so the UK will have its own version of GDPR. Compliance for the UK equivalent is likely to be at least as stringent as the EU version.
The ICO will hit all companies breaching GDPR with a huge penalty.
The ICO has indicated that they shall use their increased powers proportionately and judiciously and fines will not be issued in the case of every infringement. Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.
The ICO’s motto in this regard is ‘tell it all, tell it fast, tell the truth’.
A business must have consent if it wants to process personal data.
This is not the case. A Data Processor must have an alternative lawful basis for processing data such as processing the data with a legitimate interest, carrying out a task in the public interest or needing to comply with a legal obligation.
GDPR is an unnecessary burden on organisations.
GDPR is an evolution, not a revolution. Yes, the Regulations demand more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals, however GDPR builds on the foundations already in place for the last 20 years since the introduction of the Data Protection Act.
All data breaches will need to be reports to the ICO.
It will be mandatory for a business to report a personal data breach under the Regulations if it’s likely to result in a risk to an individual’s rights and freedoms (i.e. if a particular individual can be identified).
Data breach reporting is about punishing organisations.
Personal data breach reporting has a strong public policy purpose. The law is designed to push businesses to step up their ability to detect and deter breaches. The ICO’s mind-set is not to punish organisations, but to make them better equipped to deal with security vulnerabilities.
Personal data that is already in our database is not subject to the GDPR.
The GDPR applies to personal data, regardless of when that data was collected. If the data was collected before the GDPR goes into effect (May 25, 2018), the business and relevant data will still be subject to GDPR requirements.
If the data can identify an individual who was in the European Union at the time the data was collected, be it via their name, address, contact details or similar, that data will be within the scope of the Regulations.
How Can Verisona Law Help Me and My Business?
At Verisona Law, we can assist you and your business in preparing for the GDPR and ensuring your business is compliant by:
- Reviewing your business’s internal data protection and privacy policies;
- Reviewing your business’s terms and conditions;
- Reviewing your business’s commercial agreements with customers, suppliers, distributors and suchlike;
- Providing training to your business’s staff and board members.
If you would like further information, please contact Grant Usher (Associate) at firstname.lastname@example.org or via telephone on 023 9231 2058.
- Sale and purchase of business, asset and shares
- Business start-ups and SME’s
- Management Buy-Outs (MBO’s) and Buy-Ins (MBI)
- Share buy backs
- Due diligence
- Company re-organisation and re-structuring advice
- Shareholders’ and partnership agreements
- LLP and Partnership advice
- Shareholder disputes
- Drafting inter-creditor, facility, guarantee and other security agreements
- Subordination and priority arrangements
- Advice on personal and corporate guarantees
- Joint ventures and collaboration agreements
- Terms and conditions of sale or purchase for goods/services
- Agency and distribution agreements
- Non-disclosure agreements (NDA)
- Bespoke trading agreements
- Intellectual property protection
- Incorporation of limited liability partnerships and companies
- Creating and/or maintaining statutory registers, minute books and share certificates
- Preparing board minutes, resolutions and notices
- Assisting with your annual return
- Drafting or amending Articles of Association
- Dissolving or striking companies off the register
- Implementing changes to your share capital
- Drafting and filing of Companies House forms.
Dealing with creditors’ demands for personal guarantee payments
The company had substantial liabilities to the bank and its landlord. These liabilities were personally guaranteed, jointly and severally, by both directors.
The bank and landlord both called in the personal guarantees by pursuing our client, rather than the co-director who had little cash or assets.
As a result our client was required to pay the guarantees totalling tens of thousands of pounds.
Claiming a share of the guarantee payments from the co-director
We were instructed to pursue a claim against the co-director for a contribution of half the amount our client had paid.
The co-director instructed solicitors to resist the claim, alleging they had little or no involvement or control in the business and so should not have to contribute.
We built a case based on the detailed consideration of historic company records which demonstrated the extent of each directors’ involvement in the company. We supplied extensive witness statements and secured the disclosure of financial and other company records relevant to the case.
A number of witnesses also gave evidence at trial.
Winning and enforcing the claim
We secured a judgment at trial against their former co-director for half of the sum our client paid under the personal guarantees, together with interest and their legal costs.
Subsequently we took enforcement action to recover payment and, despite the co-director’s limited means, successfully recovered the full sum for our client.
Former Director and Shareholder of Limited Company
The background to the situation was complicated, yet Verisona Law quickly grasped the essentials and prepared clear arguments with a minimum of wasted time and cost.
Throughout a worrying period, their calm approach allowed me to fulfil my group function with a restored confidence, having been distracted prior to Verisona Law’s appointment by the aggressive and unjustified stance of the Secretary of State.
I have no hesitation in recommending Verisona Law to anyone in a similar position.
Individual - Chairman of a group of companies in the construction industry