Now that the GDPR has come into force, it is absolutely essential that businesses ensure they are following the new regulations. The consequences of non-compliance have the potential to cause great financial damage and the enforcement agencies operating in each of the EU nations will be taking their new responsibilities incredibly seriously. Here, we take a look at a few GDPR basics, examine what’s changing under the new regulations, and what non-compliance could mean for your business.
The General Data Protection Regulation (GDPR) came into effect on the 25th May 2018. It applies to all member states of the EU and introduces a number of new processes, procedures, rights, and responsibilities concerning the way organisations handle personal data. The regulations aim to standardise data protection practices across Europe and ensure that businesses and public bodies are collecting, storing, transferring, and deleting data in a secure and ethical manner.
How should data be handled?
The GDPR is predominately focused on the management of both ‘personal data’ and ‘sensitive personal data.’ The first of these terms is considered to mean any piece of data that can be used to identify an individual. This includes names, addresses, phone numbers, and email addresses, among other things. Sensitive personal data is that data which is not readily available, like religious or political beliefs, sexuality, and genetic information.
In terms of the major implications of GDPR, there are a number of important factors businesses must consider if they are to ensure compliance. They include:
- A clear method for processing personal data.
- The implementation of a process that allows individuals to request information pertaining to their stored personal data. This data must be provided within one month, unless the request is particularly onerous in which can the data must be provided within two months, and, in any event, organisations must do so for free. Similar processes that allow personal data to be deleted should also be implemented.
- The reporting of any data breach or loss which has affected or is likely to affect the rights and freedoms of individual must be made to the relevant enforcement agency within 72 hours. In the United Kingdom, this is the Information Commissioner’s Office. Additionally, those individuals affected by the data breach must also be notified.
- Those companies that employ more than 250 members of staff must detail why the information is being collected, how long it will be stored for, and what security measures are being taken to protect it. It is advisable that smaller businesses keep similar records in any event, as it should help demonstrate compliance with the GDPR.
- Any organisation that carries out large scale, regular and systematic data collection must appoint a Data Protection Officer (DPO).
One of the most eye-catching aspects of the GDPR is the option of EU authorities to issue companies with extremely large fines for non-compliance. Organisations that are found to have breached the regulations may face a financial penalty of up to €20million or 4% of global annual turnover, whichever is greater. While only the worst offenders will be hit with the maximum fine, the ability to tailor the punishment to represent both the severity of the crime and the financial clout of the infringing company, makes the GDPR a powerful regulatory tool. However, enforcement agencies in each of the EU nations covered by GDPR will aim to encourage attempted adoption of the regulations – even if there are early issues with compliance – rather than immediately punishing businesses with severe fines. If organisations can demonstrate that they are making concerted efforts to comply with GDPR, the UK government has offered reassurances that their approach will be defined by its leniency.
While implementation of the GDPR will result in widespread changes in the vast majority of UK businesses, it is not as radical a departure from existing data protection regulations as has been portrayed. However, threatened with large fines and damage to their reputation, businesses need to ensure that they are complying with the new measures.
Though we’ve listed the most important changes included in the GDPR, the legislation consists of over 90 individual articles. Consequently, businesses should seek legal guidance if they have any concerns relating to their own data handling and management practices.
- Sale and purchase of business, asset and shares
- Business start-ups and SME’s
- Management Buy-Outs (MBO’s) and Buy-Ins (MBI)
- Share buy backs
- Due diligence
- Company re-organisation and re-structuring advice
- Shareholders’ and partnership agreements
- LLP and Partnership advice
- Shareholder disputes
- Drafting inter-creditor, facility, guarantee and other security agreements
- Subordination and priority arrangements
- Advice on personal and corporate guarantees
- Joint ventures and collaboration agreements
- Terms and conditions of sale or purchase for goods/services
- Agency and distribution agreements
- Non-disclosure agreements (NDA)
- Bespoke trading agreements
- Intellectual property protection
- Incorporation of limited liability partnerships and companies
- Creating and/or maintaining statutory registers, minute books and share certificates
- Preparing board minutes, resolutions and notices
- Assisting with your confirmation statement
- Drafting or amending Articles of Association
- Dissolving or striking companies off the register
- Implementing changes to your share capital
- Drafting and filing of Companies House forms.
“The (Corporate and Commercial) team did Verisona Law proud. I really appreciate all your assistance throughout the transaction.”
Director of a Groundworks and civil engineering business, June 2018
“I would just like to say a very big thank you to you for all of your amazing hard work and patience during the course of the sale. Myself and the family very much appreciate it.”
Exiting shareholder of an IT company, July 2018
“Thank you for all your work in dealing with the acquisition, your advice has been really helpful.”
Seller of a healthcare business, January 2019