The EU’s general data protection regulation (GDPR) will come into force in May next year, replacing all data protection legislation in EU member states. Currently, the Information Commissioner can issue a monetary penalty notice of up to £500,000 for Data Protection Act 1998 breaches. The GDPR will introduce much higher fines. The government is also pushing through a data protection bill, which will replace the Data Protection Act and set new standards for protecting data, in accordance with the EU regulation.
The legislation applies to the “processing” of “personal data”, both terms being very widely defined. This means that practically any business operating in the UK which holds information about individuals (whether employees, customers or anyone else) is affected. Since breaches of Data Protection laws can result in criminal as well as civil liability (not to mention adverse publicity), you cannot afford to ignore your Data Protection obligations.
The Data Controller is defined as the person who determines the purposes for which and the manner in which any personal data is processed. In contrast, a Data Processor processes personal data only on behalf of a Data Controller. Where, for example, payroll administration is outsourced to a third party, that third party will usually be a Data Processor.
We not only advise our clients as Data Controllers and Data Processors but also prepare appropriate Privacy Policies and advise on the content of clients’ Websites to ensure that any information collected and stored, whether via the Web or otherwise, is stored in compliance with legislation.
We also advise on the extent to which personal data may be used for marketing purposes.