BTO Solicitors LLP: Demystifying the GDPR

06 November 2017

The General Data Protection Regulation (GDPR) will have direct effect throughout Europe from 25 May 2018. The UK will still be in Europe at that time. The Government has confirmed that UK businesses will need to comply.

Post-Brexit there are unlikely to be many changes as the GDPR applies to anyone processing the personal data of those in the EU and therefore in order to continue to do business with Europe the standards will have to remain the same.

What Do Businesses Need to Think About Now

Lawful processing and Consent: It will become difficult to obtain valid consent under the GDPR, but there are other lawful bases which have been ignored under the DPA. Businesses must identify what lawful basis it is relying on: is it necessary for you to gather the data for the performance of a contract; is it necessary for you to share the data because of a legitimate interest you have?

Transparency and Fair Processing: Any processing must also be done fairly which means telling individuals what you are doing with their data even if you do not require their consent.   Under the GDPR, you must provide the information in a Fair Processing Notice when you collect their information: your identity; the purpose for processing the data and the legal basis for processing amongst other information, including advising data subject of their rights.

Accountability and Recording Data Processing: If you have over 250 employees or your processing is likely to result in a risk to the privacy rights of individuals, then you must maintain a  record of processing including the purpose of your processing; the categories of data you are processing; the recipients of data, including if they are in a third country.

Data Protection Officer: Certain organisations, including public authorities, will require to have a DPO to advice on GDPR compliance. This individual cannot be someone who makes decisions about data processing, but should have access to the Board. 

Data Subject’s Rights: There are some enhanced and some new rights and organisations must have a system in place to deal with them. The timescales are tight for compliance. Subject access requests must be complied with in 30 days. In certain circumstances there is a right to be forgotten; a right to restrict processing and a right to object to processing. There are new rights concerning automated decision making and a right to move your data from one provider to another – data portability.

Data Controllers and Data Processors: Both now have obligations to comply with the law and both can be investigated and fined. Any contract a data controller has with a processor must contain certain terms as set out in the Regulation to ensure compliance and to ensure that the Data Controller is aware of any sub-contractors.

Finally, certain personal data breaches must be reported to the ICO and once they have been investigated, if the ICO finds that you have not complied with the GDPR then you can be fined up to €20 million.

Laura Irvine
Partner & Solicitor Advocate
T: 0131 222 2939