Now that the GDPR has come into force, it is absolutely essential that businesses ensure they are following the new regulations. The consequences of non-compliance have the potential to cause great financial damage and the enforcement agencies operating in each of the EU nations will be taking their new responsibilities incredibly seriously. Here, we take a look at a few GDPR basics, examine what’s changing under the new regulations, and what non-compliance could mean for your business.
The General Data Protection Regulation (GDPR) came into effect on the 25th May 2018. It applies to all member states of the EU and introduces a number of new processes, procedures, rights, and responsibilities concerning the way organisations handle personal data. The regulations aim to standardise data protection practices across Europe and ensure that businesses and public bodies are collecting, storing, transferring, and deleting data in a secure and ethical manner.
How should data be handled?
The GDPR is predominately focused on the management of both ‘personal data’ and ‘sensitive personal data.’ The first of these terms is considered to mean any piece of data that can be used to identify an individual. This includes names, addresses, phone numbers, and email addresses, among other things. Sensitive personal data is that data which is not readily available, like religious or political beliefs, sexuality, and genetic information.
In terms of the major implications of GDPR, there are a number of important factors businesses must consider if they are to ensure compliance. They include:
- A clear method for processing personal data.
- The implementation of a process that allows individuals to request information pertaining to their stored personal data. This data must be provided within one month, unless the request is particularly onerous in which can the data must be provided within two months, and, in any event, organisations must do so for free. Similar processes that allow personal data to be deleted should also be implemented.
- The reporting of any data breach or loss which has affected or is likely to affect the rights and freedoms of individual must be made to the relevant enforcement agency within 72 hours. In the United Kingdom, this is the Information Commissioner’s Office. Additionally, those individuals affected by the data breach must also be notified.
- Those companies that employ more than 250 members of staff must detail why the information is being collected, how long it will be stored for, and what security measures are being taken to protect it. It is advisable that smaller businesses keep similar records in any event, as it should help demonstrate compliance with the GDPR.
- Any organisation that carries out large scale, regular and systematic data collection must appoint a Data Protection Officer (DPO).
One of the most eye-catching aspects of the GDPR is the option of EU authorities to issue companies with extremely large fines for non-compliance. Organisations that are found to have breached the regulations may face a financial penalty of up to €20million or 4% of global annual turnover, whichever is greater. While only the worst offenders will be hit with the maximum fine, the ability to tailor the punishment to represent both the severity of the crime and the financial clout of the infringing company, makes the GDPR a powerful regulatory tool. However, enforcement agencies in each of the EU nations covered by GDPR will aim to encourage attempted adoption of the regulations – even if there are early issues with compliance – rather than immediately punishing businesses with severe fines. If organisations can demonstrate that they are making concerted efforts to comply with GDPR, the UK government has offered reassurances that their approach will be defined by its leniency.
While implementation of the GDPR will result in widespread changes in the vast majority of UK businesses, it is not as radical a departure from existing data protection regulations as has been portrayed. However, threatened with large fines and damage to their reputation, businesses need to ensure that they are complying with the new measures.
Though we’ve listed the most important changes included in the GDPR, the legislation consists of over 90 individual articles. Consequently, businesses should seek legal guidance if they have any concerns relating to their own data handling and management practices.
- Sale and purchase of business, asset and shares
- Business start-ups and SME’s
- Management Buy-Outs (MBO’s) and Buy-Ins (MBI)
- Share buy backs
- Due diligence
- Company re-organisation and re-structuring advice
- Shareholders’ and partnership agreements
- LLP and Partnership advice
- Shareholder disputes
- Drafting inter-creditor, facility, guarantee and other security agreements
- Subordination and priority arrangements
- Advice on personal and corporate guarantees
- Joint ventures and collaboration agreements
- Terms and conditions of sale or purchase for goods/services
- Agency and distribution agreements
- Non-disclosure agreements (NDA)
- Bespoke trading agreements
- Intellectual property protection
- Incorporation of limited liability partnerships and companies
- Creating and/or maintaining statutory registers, minute books and share certificates
- Preparing board minutes, resolutions and notices
- Assisting with your annual return
- Drafting or amending Articles of Association
- Dissolving or striking companies off the register
- Implementing changes to your share capital
- Drafting and filing of Companies House forms.
Dealing with creditors’ demands for personal guarantee payments
The company had substantial liabilities to the bank and its landlord. These liabilities were personally guaranteed, jointly and severally, by both directors.
The bank and landlord both called in the personal guarantees by pursuing our client, rather than the co-director who had little cash or assets.
As a result our client was required to pay the guarantees totalling tens of thousands of pounds.
Claiming a share of the guarantee payments from the co-director
We were instructed to pursue a claim against the co-director for a contribution of half the amount our client had paid.
The co-director instructed solicitors to resist the claim, alleging they had little or no involvement or control in the business and so should not have to contribute.
We built a case based on the detailed consideration of historic company records which demonstrated the extent of each directors’ involvement in the company. We supplied extensive witness statements and secured the disclosure of financial and other company records relevant to the case.
A number of witnesses also gave evidence at trial.
Winning and enforcing the claim
We secured a judgment at trial against their former co-director for half of the sum our client paid under the personal guarantees, together with interest and their legal costs.
Subsequently we took enforcement action to recover payment and, despite the co-director’s limited means, successfully recovered the full sum for our client.
Former Director and Shareholder of Limited Company
"The background to the situation was complicated, yet Verisona Law quickly grasped the essentials and prepared clear arguments with a minimum of wasted time and cost.
Throughout a worrying period, their calm approach allowed me to fulfil my group function with a restored confidence, having been distracted prior to Verisona Law’s appointment by the aggressive and unjustified stance of the Secretary of State.
I have no hesitation in recommending Verisona Law to anyone in a similar position."
Chairman of a group of companies in the construction industry
"I met Mike Dyer, Head of Commercial Law at Verisona, during October 2012 and they were already heavily involved in the bid for ownership of Portsmouth Football Club. Both he and the Verisona team have been an absolute pleasure to work with ever since.
Verisona handled all legal aspects of the takeover and were available to both myself and the bid team 24/7. One of their greatest attributes is their flexibility in working to get the job done. I never once felt that calling during out of office hours was inappropriate, and we would often have conversations at 9, 10 and 11 o’clock at night, as well as weekends.
We have established an excellent working relationship with Verisona. The firm got very involved in all aspects of the takeover, looked after us and truly cared about our success.
I have worked with multiple Commercial Law firms during my 30 year business career and Verisona are by far the best that I have come across.
We have continued to use Verisona as our legal support post-administration and the firm gives us advice and support as we establish PCFC and get to grips with running the Club. Verisona are accessible, approachable, proactive and work very hard to earn their success."
Portsmouth Community Football Club Limited