Mishcon de Reya
What is GDPR?
Legal Director, Mishcon de Reya
I am Nina O’Sullivan, Legal Director at Mishcon de Reya.
What is GDPR? GDPR, or the General Data Protection Regulation is an EU wide overhaul of data protection law which will apply across the EU, including the UK, from 25 May 2018. It builds on existing principles of data protection but it enhances privacy protection, promotes transparency and gives individuals more control over their personal data. Personal data could be anything from customer’s contact or bank details, to employee data such as sickness or holiday records. It also includes online identifiers such as an IP address. GDPR imposes new and more onerous obligations on controllers, those who determine how and why personal data is processed, and processors who act on the controller’s behalf. Two key themes in GDPR are transparency, you must tell people in clear language what you will do with their data through concise and easily understood privacy policies. And accountability, you must be able to show that what you have done is in accordance with the law. A controller must have a lawful basis to process personal data. This could include processing where it is necessary for its legitimate interests, where consent is obtained the bar has been set much higher. Pre-tick boxes are no longer allowed. A data breach may lead for a fine of up to 4% of the worldwide turnover of the business or Euros 20,000,000, whichever is the greater. The bigger concern for business may be private enforcement, claims for damage or distress and damage to their reputation. Certain types of breaches must be reported to the UK Information Commissioner within 72 hours. Breaches can be deliberate or accidental but most frequently stem from mistakes – employees leaving laptops on trains, sending emails to the wrong recipients or failing to keep passwords secure. GDPR may seem disruptive but it could strengthen customer relationships. How have you embraced the opportunities?
Mishcon de Reya
It’s business. But it’s personal.