The GDPR is the biggest shake up in data protection and privacy law in a generation. It is not affected by the UK’s decision to leave the EU. The UK Government has introduced a Data Protection Bill incorporating the provisions of the GDPR. Any business, public authority, third sector organisation or social enterprise collecting, storing and using the personal data of EU residents is affected by GDPR – even those outside the EU.
The GDPR has introduced a new compliance regime, including an obligation to notify data breaches. Fines for breaches can be up to €20m or 4% of global turnover. These figures far exceed the past maximum fine of £500,000 that can be issued by the Information Commissioner’s Office (ICO). The GDPR also gives individuals new and enhanced rights over their personal data. This includes a right to withdraw consent to data processing, a right to data portability and a right to be forgotten. For the first time, businesses that process personal data as an incidental part of providing services to corporate clients will also come within the compliance regime and could therefore face direct enforcement action.
Data protection is a broad topic, so we have put together a team of data protection experts with experience across a range of legal disciplines. We also work with our technology partners that can review your IT security measures and help you with any necessary enhancements.
- lawful data processing
- digital technology and data security including using the cloud
- transferring data
- commercial contracts with third parties
- employee activity and data including monitoring
- using personal data for marketing activity
- cyber crime
- defending civil claims for compensation and breach of privacy
- reporting data breaches to the ICO.
- ensure you understand your obligations under the GDPR
- assess your current compliance in order to identify actions you need to take
- prioritise your actions by applying a risk-based approach
- help you with practical solutions that will ensure compliance, including policy development, privacy notices, consents, data processing and data sharing agreements and staff training.
- Tailored briefing for your senior management team to raise awareness of the GDPR
- Full data mapping exercise to audit and review the GDPR of your whole organisation. The plan produced is a key document that provides a business-wide, prioritised roadmap for the work and changes required in order to achieve compliance
- Specific mini-audits to cover key areas of your business such as HR, marketing, digital and accounts
- Legal document review of your data protection policy and record-keeping process, privacy notices, consents, contracts with third parties and data transfer documentation
- IT security audit, conducted by one of our partners, to review your IT security systems and recommend any technical remediation work
- Training for your in-house GDPR project team, as well as ongoing legal support for them as you get to grips with your preparations. This can be paid for “as needed” or on a retainer basis
- Assistance with the development of staff policies and training programmes for staff – a critical part of demonstrating compliance under the GDPR
- Any other legal remediation work that may be required.
For clients that buy any of the above or who are existing clients of Hugh James, you will benefit from a free GDPR hotline advice service for when you get stuck and need some direction. If you would like to talk through the implications of the GDPR on your organisations, or for more details of our packages, please do not hesitate to contact us.