For your business

For your business

General Data Protection Regulation (GDPR) Guidance

Now that GDPR has come into force, have you taken the necessary steps towards being GDPR compliant? Failure to comply may result in a fine from the Information Commissioner’s Office (ICO).

The first step to take in order to comply with GDPR is to carry out a “data mapping” exercise (a data audit) to establish the following:

  • What data your organisation holds?
  • Where it came from?
  • How it is used?
  • What legal basis under GDPR applies to its use?
  • Where it is stored?
  • Whether adequate measures are in place to protect the data?
  • How long will the data be kept?

You will need all of this information so you can create robust internal policies to ensure GDPR compliance and make sure you can show you have taken the right steps if questions are ever raised over your handling of any data you hold.

As part of achieving compliance with GDPR, you will likely need to review and update various policies, contracts and other agreements. This can include your data protection policy, employment contracts, privacy policies, supplier contracts, terms and conditions of business, and more.

It is strongly recommended to take specialist legal advice when taking steps to ensure you comply with GDPR. Our expert data protection lawyers can help audit your current policies and procedures, helping to establish where you need to make changes. We can then guide you through implementing those changes smoothly and in a way that matches your business goals.

Speak to our GDPR compliance lawyers now by calling 01689 887 887 or using the contact form at the top of the page to request a call back.

How our solicitors can help your business with GDPR compliance

There are two main areas where we can help guide you through achieving GDPR compliance – employment law and commercial law. We have strong expertise in both, so can help you quickly and cost-effectively get the right measures in place to protect your business.

GDPR & employment law

We can help with issues including:

Advice on updating data privacy notices – You will need to inform employees, job applicants and leavers about the data you are holding.

Contract and policy review – This will include updating the employment contract and preparing a GDPR compliant data protection policy.

GDPR & commercial law

Updating privacy policies – This will need to be updated to inform your customers of the purposes for which their data is used and their rights under GDPR.

Contract reviews – There is a need to review contracts with your suppliers and ensure there are provisions about how data will be handled and shared.

Data protection policies – We are able to provide advice in relation to your use of data for marketing purposes.

Common questions about GDPR compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is a set of new, EU-wide data protection rules intended to modernise and strengthen protections for the way people’s personal information is held by businesses and other organisations

GDPR was implemented in the UK with the Data Protection Act 2018 and replaces the previous 1995 data protect directive on which the UK’s Data Protection Act 1998 was based.

When did GDPR come into force?

GDPR came into force across the EU on May 25 2018.

Will GDPR still apply to the UK after Brexit?

While GDPR may no longer directly apply in the UK once we leave the EU, it will still apply to any businesses with customers in the EU.

GDPR will continue to apply in the UK during the transition period and may continue to apply after this, depending on what sort of deal the UK government is able to secure with the EU.

What counts as ‘personal data’ for GDPR?

Personal data is any information that allows a living individual to be identified, whether directly or indirectly.

Personal data may be considered sensitive if it relates to specific characteristics, including a person’s sex, race, ethnic origin, political opinions, religious or philosophical beliefs or genetic data.

What principles apply when processing personal data?

When processing personal data, you must adhere to the following 6 principles:

  1. The processing must be fair, transparent and lawful
  2. Data must only be collected and used for a specific purpose
  3. Data must be adequate, relevant and not excessive for the specified purpose
  4. Data must be kept accurate and up-to-date
  5. Data must only be kept for as long as necessary for the specified purpose
  6. Data must not be lost, damaged or placed in a physically unsafe environment

What rights does the person the data relates to have?

The subject of any data you hold has various rights with respect to that data, including:

  • To see what data you hold on them
  • To have any errors in that data corrected
  • The right to be forgotten (i.e. for you to delete their data)
  • The right of portability (allowing subjects to obtain the data you hold on them and use it for their own purposes)
  • To object to you processing their data
  • Restrictions on when their data can be used for automated decision making which will have a significant effect
  • To be notified of their rights
  • Parents must give consent for the data of children under 13 to be processed

What should you do if your business experiences a data breach?

Any data breaches must be reported by your data controller to the ICO as soon as possible. If the breach is likely to result in a risk to the subject/s of the data, you must inform Information Commissioners Office within 72 hours of becoming aware of the breach.

You may be required by the ICO to inform anyone likely to be affected by the breach.

What are the penalties for failure to comply with GDPR?

For the most serious infringements, such as failing to get proper consent from someone in relation to their data, there is a maximum fine of €20 million or 4% of worldwide turnover, whichever is the higher.

Lesser infringements carry a maximum fine of €10 million or 2% of worldwide turnover, whichever is the higher.

Our data protection compliance expertise

We have decades of experience offering advice and guidance on employment law and commercial law, including data protection, to a wide range of businesses in London, Kent, across the South East and further afield.

We take a business-minded approach, so we will always make sure our advice is tailored to helping you achieve your commercial objectives, while ensuring full compliance with all relevant legislation. That way, you can operate your business with confidence and avoid the risk of potential regulatory action.

As members of the Law Society’s Lawyers for your Business scheme, we commit to answering enquiries within a maximum of 2 days and we offer a free 30-minute consultation to new clients.

We are also members of the West Kent Chamber of Commerce and the South East Chamber of Commerce, giving us excellent links with many businesses throughout the region.

CWJ is independently regulated by the Solicitors Regulation Authority (SRA), providing assurance that we continually meet the highest standards of legal practice.

Speak to our GDPR solicitors in Orpington now

For expert advice on all issues related to GDPR and data protection regulation, please get in touch now by calling 01689 887 887 or use the contact form at the top of the page to request a call back.