What GDPR Means for Your Company | Davis Blank Furniss Solicitors
Alexandra Herbert at DBF Law

As of the 25th May 2018, the Data Protection Act 1998 (DPA) will be replaced by the General Data Protection Regulation (GDPR). This will result in numerous changes to which businesses must comply with, as failure to do so could result in a fine of up to 4% of the annual global turnover (maximum fine of €20 Million). It is therefore vital that all key members and decision makers within the company are fully aware and trained on the changes and impact that will occur as a result of the new regulations.

Some of the significant changes brought about by the GDPR include:

  • Consent to use data must now be in an easily accessible form, and must be written in clear and concise language, with a positive opt-in from (rather than inferred from un-ticking of a box). It must be made clear to individual that his or her consent can be easily withdrawn at any time. Businesses should record all forms of consent, and review and amend their current consent documents, so as to ensure that they follow the GDPR guidelines.
  • The GDPR grants additional rights to individuals, which were not contained in the DPA. Companies therefore need to implement procedures which would allow them to easily deal with requests of customers to delete all personal data or to provide copies of data electronically and in a commonly used format.

The GDPR includes the following rights for individuals:

  1. the right to be informed;
  2. the right of access;
  3. the right to rectification;
  4. the right to erasure;
  5. the right to restrict processing;
  6. the right to data portability;
  7. the right to object; and
  8. the right not to be subject to automated decision-making including profiling.
  • The time period for handling access requests has been reduced from 40 days (as under the DPA) to 30 days. If a request is to be refused; full and concise reasoning must be provided within one month to the individual. Failure to comply with this entitles an individual to issue a complaint to the supervisory authority or potentially gain access to judicial review rights. It is paramount for a company that handles a large number of requests, to be able to develop an efficient system in order to be able to provide a response without delay. It may therefore be worth considering the development of an online system to ensure the easy access of personal information for individuals. This would allow for requests to be dealt with much more efficiently.
  • A company must appoint their own Data Protection Officer (DPO) if they have more than 250 employees, are a public authority,  or if they monitor a large number of individuals and partake in processing large amounts of data regarding special categories, such as criminal convictions. This individual should be competent in their role and able to take full responsibility for the protection of data.  Under the DPA, it was not a strict requirement to appoint an overarching DPO and data protection controllers would often submit the required information to local administrators with a part-time DPO role.  Now larger companies are more likely to have to appoint someone to a DPO role solely dedicated to the protection of their customer’s data.

In addition, the Privacy and Electronic Communications Regulations (PECR), which previously sat alongside the DPA will be amended and reviewed so as to be uniform with the GDPR. Although not yet confirmed, it is thought the PECR will adopt a similar definition of ‘consent’ as the GDPR and will detail specific privacy rights in relation to electronic communications. The PECR deals with electronic marketing communications and is stricter in many respects than the DPA or GDPR in this regard – as there is no possibility of even seeking to use ‘legitimate business purposes as a basis for processing without consent under the PECR.

It is vital that a company investigates and handles a personal data breach in accordance with the GDPR. Whilst under the DPA, companies were encouraged to report data breaches; there was no enforcement of such suggestion. Once implemented, the GDPR will require a company to report a data breach to the relevant supervising authority within 72 hours if it is likely to result in a risk for the rights of an individual, such as damage to their reputation, or loss of confidentiality.

Details that must be included in this data breach report inlcude:

  • the nature of the breach;
  • the contact details of the DPO;
  • a brief description of the potential consequences; and
  • proposed measures to combat the breach.

The GDPR is a particularly important piece of new legislation, affecting a large number of businesses in the UK. On the whole, the rights individuals will enjoy under the GDPR are very similar to those under the DPA, but with some significant enhancements. If companies are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy.

Should you wish to discuss the GDPR in more detail and discuss how your business could effectively implement changes to adhere to the new regulations, please contact our Corporate Commercial department on 0161 832 3304.


Read what our clients have to say...

View All

Excellent experience start to finish – always very responsive to any queries and the turnaround on the property I was buying was very quick, even in the busy time leading up to stamp duty deadline. Jenny was always very helpful and went above and beyond to close on a short timescale.

Ben Armitage

“Very approachable, practical solutions to problems, but most of all very responsive which I personally think is very important because if you need help, you need it quickly, or at least to know someone is looking at it for you”.

Joanne Rowe, Finance Director, Greater Manchester Chamber

“Always able to contact, very approachable, friendly and professional”

Nives Feely, JAM Recruitment

“I believe I have been able to establish a professional working relationship with everyone I have come into contact. Importantly, I sense the relationships which have been established give me the confidence that I can make contact with Davis Blank Furniss at any time and on any matter. I would also like to express my thanks to the very impressive “gatekeepers” who work in reception, not only for making me very welcome, but also for their professionalism”

Bill Pryke, CEO, Chartered Institution of Civil Engineering Surveyors

“Thank you for your efficient and friendly help throughout this process. We have had it easy but your approach has been part of that”.

Robert Amsbury (Conveyancing Client)

“I would like to take this opportunity to thank you personally for the ongoing support and assistance the firm has offered to our parents over the years. I hope also that we may be able to call on you if necessary in the future.”

Valerie Fisher (Probate Client)

“Jo always provides great service, understands our needs and delivers on her promises. Our needs are relatively simple but the complexity arises out of the volume of work and short time frames, Jo always delivers.”

Peter Fernandez, Corporate Director at Royal Bank of Scotland

“A big thank you to all who dealt with my wife’s claim… We would not hesitate to recommend Davis Blank Furniss to anyone that may be in a situation like we have been…”

Anon (Personal Injury client)

“Before putting my case in Kirsty (Morbey)’s capable hands I’ve met a couple of other solicitors. None of them listen to me as intently as Kirsty and showed me as much empathy and understanding as she did. Simultaneously she was able to look at my case from legal perspective, explain all the options and follow each of our meetings with written summary of the discussed matters (in timely manner). Her advice was invaluable and led me to successfully ending the case matter (hopeful for good). I’m forever grateful for he work and would definitely recommend her to anyone looking for reliable, knowledgeable and committed solicitor”.

Anon (Family client)
5 star service

Our Manchester office is rated 5 stars on Google