General Data Protection Regulation – The GDPR deadline is imminent

31st January 2018

May 25th 2018 is now mentally enshrined as a black-letter day in corporate Britain. No, it is not another Royal wedding or an overnight sporting event likely to result in absentee employees the following day. It is the date that the General Data Protection Regulation (GDPR) enters force in the UK.

The date is ominous as there is no transitional period and from that date forth, companies suffering a data breach or otherwise in breach of the extensive requirements will face fines of up to 4% of global annual turnover or €20 million whichever is the higher. This means that there is at least a 35 fold increase from the present maximum cap under the Data Protection Act i.e. £500,000. Brexit will not affect this.

Not only is corporate Britain taking note but also global behemoths such as Facebook and Google. This is because GDPR unlike the present regime is extra-territorial in effect, meaning that any entities based outside of the UK which deal with personal data pertaining to UK subjects are caught by GDPR.

No organisation is exempt. Personal data is focal to the operation of nearly every business. Whether you are a marketing company working for others, a company doing your own marketing based on your own or third party databases, selling services or products online, or a company with personnel records.

There are 3 key stages to becoming GDPR-ready. The first is to map the matrix of personal data entering and being processed by your company and then assess this in the light of GDPR’s requirements. This should be captured in a “gap analysis” which sets out the areas in which your current processes and documentation do not meet GDPR requirements.

Once you have done this, the second stage is to allocate responsibility both internally to appropriate stakeholders and externally to service providers such as lawyers to address the deficiencies before the witching hour.

Finally, you will need to set up a team with a relevant breadth of expertise covering all aspects of GDPR compliance, ensuring it has necessary “weight” at senior levels. You should also put in place appropriate educational and continuing assessment resources to ensure that the relevant people are aware not only of what they need to do to ensure you become compliant by May but also to ensure that you instigate proper audits, checks and balances for ongoing compliance purposes. In particular, you will need to ensure that future marketing plans targeted at consumers are filtered for GDPR compliance purposes prior to going live and that appropriate records of your deliberations are made and retained.

Recognising the need for a specialist multi-disciplinary data protection team to best meet clients’ needs in a joined-up manner, we set up a specialist data protection team, comprising lawyers from various departments, both contentious and non-contentious. Our non-contentious work comprises assisting clients to identify the risks that require remediation and then helping them to put into place internal procedures and policies as well as contractual documentation with third party data processors to address their exposure.

On the contentious side, we assist with subject access requests, data breaches, threats of legal claims and complaints to the Information Commissioner’s Office (“ICO”) and issues arising from cyber-attacks. We can also assist with reputation management issues arising from any data breaches or adverse legal judgments, ICO decisions.

For further information or assistance, please contact Simon Halberstam and Raoul Lumb for non-contentious matters, and Stephen Shotnes and Jeffrey Smele for contentious issues.