Tough new EU laws mean businesses could be liable for fines of up to 20 million euros (£17 million) or 4% of their worldwide turnover, warns leading law firm Blake Morgan.
The law firm warns that many organisations across the public and private sectors are not prepared for the changes as it launches a free guide on its website to mark the one-year countdown to General Data Protection Regulation (GDPR).
GDPR comes into force on May 25 next year and all organisations which retain or process personal information will need to comply.
Data Protection specialists at the firm have been alerting clients to the new rules in how they handle personal data – including the ‘right to be forgotten’.
Bruce Potter, Chairman of Blake Morgan, said: “We are now just a year away from a major shake-up of information governance laws at a European level and it’s fair to say that many businesses and public sector organisations are underprepared.
“The huge growth of the digital economy in recent years requires a more robust legal framework to ensure public confidence in the protection of information and organisations now need to adapt to these higher standards.
“It is not only reputation that is at stake for failure to comply as there will be a significant increase in monetary penalties. Our data protection and regulatory experts have carefully devised this guide which highlights the most important actions organisations should take to comply and I would urge decision-makers to take a look.”
Blake Morgan, which has offices in Cardiff, London, Oxford, Portsmouth, Reading and Southampton, says it is important that businesses and public bodies act now to understand the regulations and implement measures for compliance.
Its report GDPR: A Practical Guide to Achieving Compliance gives detailed and informed analysis on key changes on the way, including businesses being liable for fines of up to £17 million or 4% of their annual worldwide turnover (whichever is greater) for data breaches and organisations having just 72 hours from the discovery of a breach to report it.
Among the action points in the guide are:
- Review customer-facing terms and privacy policies. These are likely to need substantial revisions to meet the new requirements.
- Decide whether a Data Protection Officer needs to be appointed in-house. Alternatively, explore whether you could outsource the role.
- Review contracts with processors to ensure they have robust provisions around record-keeping.
- Ensure that the risk of penalties for non-compliance are fully understood at board level.
- If you collect information about children then you may need a parent or guardian’s consent to process their data lawfully. Consent must be verifiable and privacy notices must be written in language that children will understand.
Blake Morgan is the only law firm accredited to provide the BCS Certificate in Data Protection course, which is an intensive five-day course leading to a professional qualification (on successful completion of an externally marked exam). The qualification is ideal for anyone with data protection responsibilities, particularly those taking on the Data Protection Officer role under the GDPR.
Blake Morgan’s lawyers offer both a start-to-finish consultancy package for achieving compliance and a complement of individual services to target known areas of concern.
Among data protection projects in recent years have been advising a world-leading UK charity on cross-border data flows and compliance with overseas legislation, as well as conducting a major data protection compliance project with a UK university.
Despite the Brexit negotiations, the Government has confirmed that the UK will be implementing the new rules in full and there are good reasons for assuming that the UK will continue to apply European standards for data protection for many years to come.
Blake Morgan’s data protection and regulatory experts are available to answer questions from organisations about GDPR at GDPR@blakemorgan.co.uk