The EU’s general data protection regulation (GDPR) came into force in May 2018, replacing all data protection legislation in EU member states. Previously, the Information Commissioner could issue a monetary penalty notice of up to £500,000 for Data Protection Act 1998 breaches. The GDPR introduced much tougher fines. The Data Protection Act 2018 incorporated the GDPR into UK law.
The legislation applies to the “processing” of “personal data”, both terms being very widely defined. This means that practically any business operating in the UK which holds information about individuals (whether employees, customers or anyone else) is affected. Since breaches of Data Protection laws can result in criminal as well as civil liability (not to mention adverse publicity), you cannot afford to ignore your Data Protection obligations.
The Data Controller is defined as the person who determines the purposes for which and the manner in which any personal data is processed. In contrast, a Data Processor processes personal data only on behalf of a Data Controller. Where, for example, payroll administration is outsourced to a third party, that third party will usually be a Data Processor.
We not only advise our clients as Data Controllers and Data Processors but also prepare appropriate Privacy Policies and Data Sharing agreements and advise on the content of clients’ Websites to ensure that any information collected and stored, whether via the Web or otherwise, is stored in compliance with legislation.
We also advise on the extent to which personal data may be used for marketing purposes.