The GDPR is fully enforceable throughout every member state within the European Union. This means all small and medium sized enterprises (SMEs) worldwide need to ensure that their data processing activities comply with the obligations of the new data protection regime ahead of this deadline.
From the 25 May 2018, the GDPR became fully enforceable throughout every member state within the European Union. But the GDPR also has an international dimension and it is therefore of the utmost importance that all small and medium sized enterprises (SMEs) worldwide ensure that their data processing activities comply with the obligations of the new data protection regime ahead of this deadline.
Our team provide assistance on all aspects of achieving and maintaining compliance with the GDPR. This includes:
Carrying out a data audit or reviewing an existing or partial data audit which identifies:
These initial audits form the basis of the report. This is a risk-based review of the results of the audit setting out the GDPR compliance issues that have been discovered, the risks associated and recommendations on resolving the issues and moving towards compliance.
Putting in place the various solutions, strategies, policies and plans (including updating or producing data protection policies, updating data sharing and processing contracts, potentially appointing a Data Protection Office and carrying out any internal training that may be necessary), as identified by the report.
Ongoing support and engagement maintaining GDPR compliance and depending on need, can consist of:
Please feel free to contact us to learn more about how we can help with any of the above. Alternatively we are happy to offer tailored assistance based on your organisation’s needs.
We will be running a webinar that aims to recap on our GDPR guides, discuss key challenges of implementing the regulation and answer any questions that you may have. Sign up for our GDPR webinar here.
Below we briefly set out an introduction to some of the key differences between the old and the new regimes that SMEs in particular will need to be aware of.
The fundamental principles of personal data protection and safeguarding the rights of data subjects remain, in essence, the same. However, the way the GDPR ensures the principles are realised has undergone substantial changes. A few of the key differences between the old and new data protection regimes are explained here.
The most material change introduced by the GDPR is the significant uplift in sanctions for breaching data protection requirements. A tiered approach will apply, such that the level of fine will depend on the category of obligation breached. But non-compliant companies could receive fines of up to the higher of 4% of their annual worldwide turnover or €20 million.
The GDPR applies to data processing activities regardless of territorial boundaries. Companies and their activities no longer have to be based or established in the EU to be subject to the European data protection rules. Instead the obligations under the GDPR connect with the EU resident data subjects themselves. The result of this change means that a company whose activities relate to either: (i) the offering of goods and services to EU citizens (whether these are offered for free or not); or (ii) the monitoring of behaviour that takes place within the EU, will be subject to the GDPR.
The rules around data subject consent have also undergone substantial changes and have been dramatically strengthened to ensure that all requests for consent are made clearly and in intelligible and easily accessible forms. For example, pre-ticked boxes to indicate consent boxes will no longer be acceptable.
Data subject rights have also been revamped, with brand new rights being introduced and the enhancement of existing rights, including the following:
More information is available on the Information Commissioner’s Office webpages:
Performing a data and information audit of your company to identify precisely what personal data you currently process is the first step in becoming GDPR compliant.
Company-wide training should cover the basic features of the GDPR, new policies and practices your company has implemented, as well as job-specific guidance. We recommend that you approach staff training by identifying two main groups.