The regulation is not merely for the 28 EU-member states (27 after Brexit). It is for the 31-member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. GDPR is being integrated into the 1992 EEA Agreement.

And not only does it affect EEA nations, but any organisation across the globe offering goods or services to European data subjects OR, organisations controlling, processing, or holding personal data of European nationals are also captured.

While GDPR will bring harmonisation across the 31 EEA nations, the new provisions make European data protection law even more different from the laws of 'third countries', presenting a big challenge for international business and litigation.

For example, US courts have interpreted certain privacy rights from amendments to the Constitution, including the first 10 amendments, known commonly as the Bill of Rights. By comparison, Europe places a greater importance on privacy, and is a fundamental right under article 8 ECHR.

The key changes including in the General Data Protection Regulation (GDPR): 

• The Regulation will enforce tough penalties – proposed fines up to 4% of annual global revenue or €20million, whichever is greater.

• Even though the UK will not be in the EU in post-Brexit, we will still have to comply with the Regulation. Although regulation beyond EU borders will be a challenge, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

• GDPR Update - July 2017

  According to a recent YouGov poll, almost 2/3^rds of UK businesses are unaware of the sanctions they could face after next year's GDPR comes into place, with fines of up to€20m for the the biggest companies.

  A startling 62% of businesses surveyed had not even heard of the GDPR.

  Currently, UK businesses can be fined up to £500,000 for a breach of data protection. Next year, from 25 May 2018, this will jump to either€20m or 4% of the company's global turnover. A fifth of those companies surveyed conceded the possible impacts of the fines would push them out of business.

  Despite some businesses being aware there were upcoming changes, very few knew the scale of the fines. Unsurprisingly, the majority were smaller businesses, with just 22% having heard of the rules, whereas 43% of medium-sized and 56% large businesses had so.

  Staggeringly, nearly half (57%) of financial services companies knew of the changes. Media and marketing came bottom of the list.

  While the topic has been very much in the public domain, nearly a quarter of the businesses surveyed said they would probably not even know when a data breach occurred.

  They need to learn. And quickly. Last year, the number of fines for data breaches almost doubled, and jumped from £541,000 to an eye-watering £3.2m. These will undoubtedly rise after the implementation of the new rules next Summer.

  Businesses need to be clear about how data is collected and stored, and a breach must be reported to the Information Commissioner's Office (ICO) within 3 days.

  Finally, it is important that British businesses understand that, while “Brexit means Brexit”, Brexit does not mean the compliance with the Brussels-enforced GDPR can stop. This is happening.

  For further advice and guidance contact Aaron Pearson on 0151 659 1070 or This email address is being protected from spambots. You need JavaScript enabled to view it. 

   

   

• HOW THE GENDER RECOGNITION ACT CRIMINALISES STAFF

  Following the closure of the Gender Recognition Act consultation, many people have voiced their opinions regarding the need to reform the act, due to a variety of problematic issues.

  The Employment Lawyers Association (ELA) have discussed the negative implications of the Gender Recognition 2004 act and have called for a repeal of section 22 of the act, which they believe inadvertently criminalises innocent members of staff, especially HR employees who assist trans job seekers.

  Section 22 of the Gender Recognition Act 2004 states:

• HOW TO MAKE YOUR HR POLICIES GDPR COMPLAINT

  The General Data Protection Regulation (GDPR) was enforced on the 25^th May 2018, which applied major changes to the way data is protected, enabling employers to reconsider their employment and HR procedures, and amend them in order to comply with GDPR requirements.

   Employers should maintain focus on the following factors:

• HR Data on the Cloud

  

  There are many outsourced-HR companies, and so naturally, they hold personal data such as an individual’s Name, Address, DOB, NI, Bank Details, Salary etc. Some HR companies provide software or Apps to process payroll, pay invoices and employee expenses, bonuses etc.

   Care needs to be takes as to whether the servers for these apps are based outside the EU or EEA, for example, the United States.

• IMPROVING CYBERSECURITY MEASURES

  

  In the past year there have been an array of high-profile data breaches from some of the UK’s biggest organisations including: British Airways, Dixons Carphone, and Ticketmaster UK.

  It is alarming that such large established organisations have jeopardised not only their company’s data, but also the personal data of their customers, through their lack of cyber security.

  Many cybersecurity experts believe that a data breach can occur due to a simple mistake being made possibly when updating systems or when processing the migration of data. Although there has been a substantial amount of investment placed on cybersecurity, there are still gaps in the basic procedures, which must be addressed.

• INTERPRETATION AND PRACTICABILITY OF GDPR ARTICLE 19

   

  

  Does a data processor need to be informed when a data controller deletes data?

  A Data Processor only needs to be informed if the Data Controller is in need of support, in regard to undertaking the right to be forgotten. Although, it is important for a data controller to define the relationship with the data processor, in order to understand the dynamics between the two.  It is also seen as good practice to allow the controller to gain access to deleted records through a Subject Access Request that the controller has obtained. If a Data Processor retains copy records as well as back up records, they must be deleted if requested by the Controller. 

  The deletion process can be difficult to carry out efficiently, although it is an essential process, according to GDPR, all the subject’s data must be deleted and backed up again, which is a lengthy but essential process.

• KEEPING UP WITH GDPR REQUIRMENTS

  

  The EU General Data Protection Regulation (the “Regulation”) came into effect on 25 May 2018, replacing the Data Protection Act 1998. The GDPR requirements largely repeat the security principles set out in the DPA, although with a much tougher regime and more severe sanctions for breach.

  This change has brought about business challenges for which there is little, if any, legislative or regulatory clarity at present.

   1. How does controllerand processorliability work in practice? 

• Legal Basis for Processing

  Does a data processor require a legal basis (beyond the contract it has with the data controller) in order to processes data provided by the data controller?

  The processor has to consider the reasonable expectation of the data subject and ensure a legitimate interest is pursued.

  A contractual basis will only work if there is a contract with the data subject, therefore there would need to be legitimate interest. However, the purpose of the processing should be limited solely to the process categories intended by the contract with the controller.

• Legitimate Interest or Consent?

  A question many people still have is that, regardless of whether legitimate interest is the basis for processing data, do organisations still have to gain consent where, for example, downloads or website form filling is required?

  The Information Commissioners Office (ICO) states you can rely on other lawful bases apart from consent, i.e. where processing is necessary for purposes of that organisation's legitimate interests. Thus, it is possible to use only this as the lawful basis for processing data.

  GDPR states there need be only one lawful basis, with one not taking precedence over another. However, exceptions to applicability of lawful bases may change if special category data is involved. Further, consent should be the last option, given the ease with which it can be withdrawn (see Article 21).

  Regarding website downloads, forms etc, there needs to be an assessment of context and intended use of the data before choosing whether to obtain consent or show it is needed for legitimate interest.

• MAINTAINING GDPR COMPLIANCE

  

  According to recent survey, 17 out of 24 regulatory authorities were unprepared for the General Data Protection Regulation (GDPR), when it was introduced on 25 May 2018.

  Regardless of these statistics, organisations cannot afford to become complacent, as all businesses are at risk of data breaches. Therefore, GDPR compliance must be continually enforced.

• MARKETING DATA GATHERED PRIOR TO 25TH MAY 2018

  

  Imagine the scenario: you hold marketing data, collected from lead generation firms, meetings, seminars etc maintained as a contacts database for marketing purposes. You have already contacted some of the people on this database, but others you have not.

  In order to comply with the GDPR requirements you need to know:

  How is this affected by GDPR?

  Do you need contact all the earlier contacts to get consent?

  Can this be deemed legitimate business use?

• OBTAINING CONSENT

   

  When seeking to acquire informed consent the default solution tends to be that you can obtain a written consent from each and every customer. This is of course perfectly fine, if it is manageable. But even  overcoming this task leaves the burden of gathering the consent documents and filing them, followed by ensuring the data is correct etc.

  Remember, consent is just one of the ways in which processing data might be justified. Therefore, consider the processes that you are seeking consent to carry out, and look at alternative lawful bases.

• RECORD KEEPING

  

  GDPR gives individuals the right to have their personal data deleted, although this is not an 'absolute' right. If you still need to retain the personal data concerned, you may be able to refuse the request. Moreover, the right to erasure does not mean you erase all the data if you have a need and legitimate interest basis to process their data for audit records. If you cannot erase data (for example, there is a legal requirement to keep certain records for 6 years) then consider restricting the processing, such as moving to archiving.

  The data minimisation principles should also be applied, together with an appropriate retention period. Ensure that you inform the data subject as to what data you are keeping.

• RESTAURANTS UTILISING BIG DATA TO STAY AHEAD OF COMPETITION

  

  Restaurant owners are stepping up the competition, through the powerful tool of consumer data, which allows them to improve their services by understanding customer preferences and even dietary requirements via mobile apps and online reservation systems.

  Starbucks, one of the biggest chains in the world utilises the mobile apps to improve customer satisfaction. At first their mobile app could only be accessed by Starbucks Rewards loyalty members, although they found that this only obtained the data of existing and loyal customers, which is why they opened the app up to everyone in March this year.

  The coffee chain also required customers who visited stores during “Happy Hour” to register on the Starbucks app. As well as introducing email sign-up for customers who wished to access in-store Wi-Fi.

  Kevin Johnson, the Chief Executive at Starbucks informed investors that Starbucks obtained data from an additional 5 million customers in just 90 days, increasing their “digital relationships”.He also discussed their ongoing growth, stating:

• Rights of Data Subjects under GDPR

  

• SAR AND CONFIDENTIAL REFERENCES

  

  A Subject Access Request (SAR) is a written request from an individual, in relation to their access to information, which they are entitled to ask for under the Data Protection Act.

  There has been some debate on what must be included in an SAR:

  Recently in relation to the inclusion or exemption of confidential references. As previously, under the Data Protection Act 1998, employees had the right to access their personal information, including references from current or former employers, although employers did have the right to refuse disclose of this information to the employee. In this instance, an employee could overrule the employer’s decision by applying to the recipient employer regarding their reference, whereby the employer could not decline disclosure.

• SMES AND CYBERSECURITY

  

  October is Cyber Security Awareness Month, which means organisations should be considering their current cybersecurity measures in an effort to prevent data breaches and cyber threats. The need to improve cybersecurity has also been amplified since results from the Cyber Security Breach Survey 2018 established that 43% of businesses have suffered a data breach in the last 12 months.

  Small businesses especially should be evaluating their cybersecurity measures, as according to research from security firm Sitelock, smaller organisations are actually more at risk of a website hack, mainly due to their lack of cybersecurity and website maintenance.

  Laura Dodge, Marketing Manager at Pedalo, the web development agency discussed the indispensability of implementing cybersecurity and website maintenance, stating:

• SOCIAL MEDIA SECURITY FOR BUSINESS.

   

  

  Experts believe that the greatest threat to an organisation is not its lack of cybersecurity, it is actually the employees who tend to cause the most damage.

  This comes after 77% of survey respondents indicated that regardless of training and adherence to company policies, it is actually employees that are the main source of cyber-attacks, as they may be unaware of the warning signs. Therefore, it is vital that companies improve cybersecurity training by implementing ways for staff to protect, as well as how to conduct themselves online, especially on social media.

  As social media is an integral part of engagement - and with that comes an inherent level of trust - meaning it is vital that everybody is aware of what is safe when positing content. This is particularly the case for employees who are responding to their customers, as they must be aware of online actors who utilise fake accounts in order to pose as customers and purposely target staff and the organisation.