Take a look at our commercial awareness guide on GDPR to see what you need to know.
Make sure you can explain:
A good way to demonstrate your commercial awareness when it comes to GDPR is to explain what happens to a company when it violates the law.
The principle of accountability has been introduced by the GDPR and requires organisations to both comply with the data protection principles and demonstrate compliance with the data handling requirements by implementation of data protection policies, record keeping obligations and data protection impact assessments.
Data protection enforcement powers under the GDPR include the ability of national supervisory bodies to levy fines of up to 20 million euros (£17.5 million) or 4% of an organisation’s annual global turnover in the preceding year, whichever is higher.
The administrative sanctions available to the ICO range from warnings and reprimands, to compliance orders and restrictions or bans on data processing. The incumbent Information Commissioner stressed that fines will not be used as sticks to unduly punish organisations, but will be commensurate to the seriousness of the data breach and reserved for the most flagrant and damaging data.
Article 82(2) of the GDPR sets out the factors to be assessed by the national supervisory authority when deciding whether or not to impose an administrative fine. These include the number of data subjects affected by the infringement, the level of damage suffered by them and the categories of personal data involved.
The ICO will also take into account the conduct of data controllers and data processors: in the past, in the lead up to the breach and following the breach.
Under the former data protection regime, telecoms giant TalkTalk was fined £400,000 in 2016 and £100,000 the following year for failing to adequately protect customer data from cyber attacks.
The GDPR has not only lifted the monetary penalty ceiling but also introduced a 72 hour time period within which data processors must report breaches to the national supervisory body (the ICO) and, if the data breach is sufficiently severe, to inform the data subjects whose personal data have been compromised.
Organisations with comprehensive codes of conduct, procedures and policies will be well-placed to navigate the new data protection minefield and avoid corrective measures for infringements.
Make sure you can remember some of the largest GDPR fines ever imposed, too.
“There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone” – Elizabeth Denham
The GDPR presents challenges in the form of implementing policies, procedures and systems to comply with the new data protection obligations. The twin aims of the GDPR are:
The latter includes law firms (although they can also act as data processors when receiving bulk data) and data processors such as sporting bodies.
Invariably, processing client data is intrinsically linked to the role of a lawyer and law firms will need to carefully consider their risk profiles for GDPR compliance. They will also need to think about the impact on data collection for the purposes of setting up a data room and disclosure, or discovery, as it’s known in the US (cast your mind to season 2 of Suits, Travis Tanner and the memo found and destroyed by Donna).
Having been involved in three disclosure exercises in my Litigation seats during my first nine months as a trainee solicitor, I can assure you that the volume of documents to be reviewed for relevancy to the issues in dispute can be immense.
For those with a glass half-full mentality, the GDPR heralds the dawning of a harmonised data protection regime across the EU. The streamlined approach to data protection compliance will bring an end to navigating multiple data protection regimes across different jurisdictions.
Loading More Content