The European Union’s General Data Protection Regulation (GDPR) came into force on 25th May 2018, replacing the Data Protection Act 1998. All businesses in the United Kingdom, who handle personal data, have to comply with the legal framework.
Key points to consider
Valid consent to using personal data
The requirements for consent were tightened with the introduction of the GDPR. Clear positive consent is now required. Silence or pre-ticked boxes on your website no longer constitute valid consent from a customer.
You also have to give the customer the right to withdraw their consent at any time. This means that you should allow your customer the right to withdraw consent using the same method that was used to obtain it in the first instance.
Special categories of personal data
Most businesses are already familiar with the concept of ‘sensitive data’ from the previous data protection legislation. ‘Sensitive data’ includes information concerning racial or ethnic origin and health generally. There are other categories of information too, including genetic and biometric data.
Obligations are now imposed on you to show that you have considered and integrated compliance measures into your day to day practices. This may mean adopting appropriate data protection policies, staff training and appointing a data protection officer. Importantly, you now have to prove you comply with your obligations under the GDPR by keeping appropriate records.
In a significant departure from previous legislation, the GDPR requires you to have formal contracts with any service providers who process personal data on your behalf – and ensure they comply with their obligations under the GDPR. Equally, if you are processing data on behalf of a third party, the GDPR places specific legal obligations on you and make you liable for breaches that you are responsible for.
Right to erasure
More commonly known as the ‘right to be forgotten’, allows data subjects the right to have their personal data erased in specific circumstances – such as where the personal data is no longer necessary for the purpose for which it was originally collected or processed.
Data breach notification
If you accidentally or unlawfully destroy, lose, alter, disclose, or give access to, personal data a requirement to notify the Information Commissioner’s Office will be triggered depending on the nature of the breach. You may be tempted not to notify to avoid any bad publicity, however, failure to notify risks an administration fine of up to €10,000,000 or two per cent of the total worldwide annual turnover in the preceding year – whichever is higher.
For the most serious breaches the penalty is doubled to €20,000,000 or four per cent of total worldwide revenues.
Our GDPR solicitors
Our expert team of GDPR solicitors work with businesses to put the best data protection systems in place to comply with the regulations. We draft detailed compliance policies setting out a business’ attitude to the GDPR and the steps that need to be taken to properly collect, store and safeguard relevant data.
Our solicitors are also recommended by the independently-researched Legal 500 as being one of the top teams of specialists in the country.
For more information about our data protection services for businesses, contact our GDPR solicitors in Derby, Leicester or Nottingham via our online form or call 0800 024 1976 for a guaranteed response.
"Nelsons Solicitors Limited is sought out to advise on outsourcing and IT projects, software development, licensing and maintenance. Harpreet Sandhu heads up the non-contentious IT practice, while Emma Ward leads the contentious IT/IP offering. Sandhu has a high level of expertise in GDPR matters and regularly speaks at events on GDPR compliance."Legal 500
"An approachable team with comprehensive knowledge, which works in an efficient manner."Client Feedback
"All team members respond to questions with clarity and without delay…"Client Feedback
"The team at Nelsons is very helpful, supportive and prompt in responding to any problems."Client Feedback