By Christopher Buck
Franklins Solicitors
MANY small and medium-sized businesses (SMEs) will know from recent publicity around its implementation that, on 25 May 2018, a new law will be imposed called the General Data Protection Regulation (or the GDPR for short). However, will they be ready for it?
There has been a lot of coverage on the GDPR, not least due to the headline-grabbing threat of fines of up to 20 million Euros or four per cent of a business’s global turnover, whichever is the greater. This is certainly significantly more punitive than the maximum of £500,000 under the existing law.
The GDPR will override the Data Protection Act 1998 and, in doing so, will bring about the biggest change to data protection law in over 20 years. The Brexit vote caused widespread confusion as to the future applicability of the GDPR to organisations in the United Kingdom. However, it has now been made clear that businesses should prepare to comply with the GDPR regardless of Brexit.
The countdown clock to its implementation is, therefore, ticking and all organisations, regardless of their size or remit, will have to take notice of the GDPR and be prepared for it.
Many businesses will be unsure of what they should actually be doing to get ready. Getting to grips with the GDPR can certainly appear daunting and this is likely to be particularly so for SMEs.
Some of the key aspects of the GDPR are as follows:
– The new law imposes enhanced transparency obligations on data controllers. Under the GDPR, data controllers must provide data subjects with information notices which contain prescribed information about the processing of the data subject’s personal data. Whether they are referred to as privacy policies, data protection statements or something else entirely, the information that an organisation gives to individuals when they collect their data will therefore clearly need to be reviewed and updated to meet the new information standards in the GDPR.
– In addition to the content of information notices, all points of data collection will need to be assessed to ensure that explicit consent to such notices is properly requested. Under the GDPR, businesses are required to meet a higher standard of consent and acquiescence (such as by failing to un-tick a pre-ticked box in a privacy policy) will no longer indicate valid consent.
– Implementation of measures under the GDPR will, in some cases, require the appointment of a data protection officer. An organisation will therefore need to make an assessment as to whether or not it is required to appoint a data protection officer.
– The GDPR builds on the current law by enhancing existing data subject rights and adding a number of entirely new data subject rights. New rights include the “right to be forgotten” and “data portability rights”.
– When appointing a data processor (which could include a supplier or sub-contractor), a data controller must ensure that a written data processing agreement is in place which meets detailed requirements set out in the GDPR.
Clearly reading an article such as this is not a substitute for legal advice. Here at Franklins we are available to offer advice and assistance which is focused on the steps which SMEs should put in place to get themselves ready so that they are compliant with the new law from when it comes into force and, as a result, so that they can mitigate the risk of investigative action, negative publicity and losing ground to better-prepared competitors.
Christopher Buck is a Solicitor and Associate Partner in the Corporate Services team of Franklins Solicitors LLP, which has offices in Milton Keynes and Northampton. Christopher seeks to provide cost effective solutions to businesses and can be contacted on 01908 660966 or
