Clarkson Wright and Jakes Ltd Banner Image

For Business

General Data Protection Regulation (GDPR) Guidance

Now that GDPR has come into force, have you taken the necessary steps towards being GDPR compliant? Failure to comply may result in a fine from the Information Commissioner’s Office (ICO).

The first step to take in order to comply with GDPR is to carry out a “data mapping” exercise (a data audit), to establish the following:

  • What data the organisation holds?
  • Where the data came from?
  • How the data is used?
  • The legal basis applies under GDPR to the use of data?
  • Where data is stored?
  • Whether adequate measures are in place to protect data?
  • How long will data be kept?

You will need all of this information so you can create robust internal policies to ensure GDPR compliance and to make sure you can show the right steps have been taken if questions are raised over the handling of any data.

In order to achieve compliance with GDPR, you will likely need to review and update various policies, contracts and other agreements. This can include your data protection policy, employment contracts, privacy policies, supplier contracts, terms and conditions of business, and more.

It is strongly recommended to take specialist legal advice when taking steps to ensure you comply with GDPR. Our expert data protection lawyers can help audit your current policies and procedures, helping to establish where you need to make changes. We can then guide you through implementing those changes smoothly and in a way that matches your business goals.

Speak to our GDPR compliance lawyers now by calling 01689 887 887 or using the contact form at the top of the page to request a call back.

How our solicitors can help your business with GDPR compliance

There are two main areas where we can help guide you through achieving GDPR compliance – employment law and commercial law. We have strong expertise in both, so can help you quickly and cost-effectively get the right measures in place to protect your business.

GDPR & employment law

We can help with issues including:

Advice on updating data privacy notices – You will need to inform employees, job applicants and leavers about the data you are holding.

Contract and policy review – This will include updating the employment contract and preparing a GDPR compliant data protection policy.

GDPR & commercial law

Updating privacy policies – These will need to be updated to inform your customers of the purposes for which their data is used and their rights under GDPR.

Contract reviews – Review contracts with your suppliers to ensure there are provisions concerning how data will be handled and shared.

Data protection policies – We can advise in relation to use of data for marketing purposes.

Common questions about GDPR compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is a set of EU-wide data protection rules intended to modernise and strengthen protections for the way personal information is held by businesses and other organisations.

GDPR was implemented in the UK with the Data Protection Act 2018 and replaces the previous 1995 data protection directive on which the UK’s Data Protection Act 1998 was based.

When did GDPR come into force?

GDPR came into force across the EU on May 25 2018.

Will GDPR still apply to the UK after Brexit?

While GDPR may no longer directly apply in the UK once we leave the EU, it will still apply to any businesses with customers in the EU and the Data Protection Act 2018 will remain in force.

GDPR itself will continue to apply in the UK during any transition period and may continue to apply after this, depending on whatever deal the UK government is able to secure with the EU going forward.

What counts as ‘personal data’ for GDPR?

Personal data is any information that allows a living individual to be identified, whether directly or indirectly.

Personal data may be considered sensitive if it relates to specific characteristics, including a person’s sex, race, ethnic origin, political opinions, religious or philosophical beliefs or genetic data.

What principles apply when processing personal data?

When processing personal data, processors must adhere to the following six principles:

  1. The processing must be fair, transparent and lawful
  2. Data must only be collected and used for a specific purpose
  3. Data must be adequate, relevant and not excessive for the specified purpose
  4. Data must be kept accurate and up-to-date
  5. Data must only be kept for as long as necessary for the specified purpose
  6. Data must not be lost, damaged or placed in a physically unsafe environment

What rights does the person the data relates to have?

The subject of any data held has various rights with respect to that data, including:

  • To see what data is held on them
  • To have any errors in that data corrected
  • The right to be forgotten (i.e. to delete the data)
  • The right of portability (allowing subjects to obtain the data held on them and use it for their own purposes)
  • To object to the processing of data
  • Restrictions on when data can be used for automated decision making and which will have a significant effect
  • To be notified of rights in relation to data held
  • Parents must give consent for the data of children under 13 to be processed

What should you do if your business experiences a data breach?

Any data breaches must be reported by a data controller to the ICO as soon as possible. If the breach is likely to result in a risk to the subject/s of the data, the Information Commissioners Office must be informed within 72 hours of the business becoming aware of the breach.

The ICO may require you to inform anyone likely to be affected by the breach.

What are the penalties for failure to comply with GDPR?

For the most serious infringements, such as failing to obtain proper consent from a person in relation to their data, there is a maximum fine of €20 million or 4% of worldwide turnover, whichever is the higher.

Lesser infringements carry a maximum fine of €10 million or 2% of worldwide turnover, whichever is the higher.

Our data protection compliance expertise

We have extensive experience offering advice and guidance on employment law and commercial law, including data protection, to a wide range of businesses in London, Kent, across the South East and further afield.

We take a business-minded approach, so we will always make sure our advice is tailored to helping you achieve your commercial objectives, while ensuring compliance with all relevant legislation. That way, you can operate your business with confidence and avoid the risk of potential regulatory action.

We are members of the West Kent Chamber of Commerce and the South East Chamber of Commerce, giving us excellent links with many businesses throughout the region.

CWJ is independently regulated by the Solicitors Regulation Authority (SRA), providing assurance that we continually meet the highest standards of legal practice.

Speak to our GDPR solicitors in Orpington now

For expert advice on all issues related to GDPR and data protection regulation, please get in touch now by calling 01689 887 887 or use the contact form at the top of the page to request a call back.