Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Printer Friendly Version
Among the many challenges facing legal advisors, compliance officers and, indeed, boards of directors in the coming months and years, will be the requirement to review and, in most cases, substantially overhaul, their data protection and management practices.
Dean Armstrong QC gives us an overview of the latest developments in cyber law in the light of the latest political developments in the UK.
In May 2018, the General Data Protection Regulation (GDPR) comes into direct effect in the United Kingdom.
This Regulation is the first attempt at unifying regulation of personal data attempted by the European Union. It is an acknowledgement of what is becoming a reality of life, the protection and care of an individual’s personal data is sacrosanct.
Notwithstanding, it is almost certain that the UK will still be subject to EU law in May 2018, post-Brexit, in order to exchange data with EU corporates and EU subjects, the UK will have to adopt data protection regulation that is either as rigorous as the GDPR or more so.
There are currently three broad paths open to the UK post-Brexit:
The government’s recent announcements make it likely that the third option may be followed, but significantly it has been indicated that the initial stance will be that all EU regulations will be adopted until repealed.
Under the first two options, it is clear that the UK would need to adopt data protection regulation that is at least as strict as the GDPR. Under the third option, the UK would still need to adopt 'adequate' protections in order for the EU to allow its members to pass information to the UK. In other words, the UK would still need to regulate to at least the standard of the GDPR.
The Regulation applies to the processing of personal data in the context of the activities of an establishment or controller or processor in the Union, regardless or whether the processing takes place in the Union or not.
Further, the Regulation applies to the processing of personal data of data subjects who are in the Union by controllers or processors not established in the Union, where either processing activities are related either to the offering of goods or services to such data subjects in the Union, or to the monitoring of their behaviour in as far as their behaviour takes place within the Union. The latter point is highly significant since many corporates monitor the behaviour of EU citizens online and that alone brings them within the scope of GDPR.
Here, personal data means any information relating to an identified or identifiable natural person ('data subject'). Controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The Regulation is built on six principles. Personal data must be:
Before dealing with the draconian breaches envisaged by the Regulation, there is a direct right of action through the Regulation.
Article 82 gives a right to compensation to any person who has suffered material or non material damage as a result of an infringement of this Regulation. This outlines the real significance of the Regulation. It doesn’t have to be a major security breach which can attract sanction.
Within the Regulation are contained penalties of a magnitude not seen before. Infringements of articles 8, 11, 25-39, 42 and 43 shall be subject to fines of up to 10 million euros or, in the case of an undertaking, up to 2% of worldwide annual turnover for the preceding year; whichever is higher. These include failures in compliance in the areas of: processing of children’s data; notification of a data breach; data protection impact assessment; implementation of data protection by design or default.
Infringements of articles 5, 6, 7, 10-22, 44-49 and 43 shall be subject to fines of up to 20 million euros or, in the case of an undertaking, up to 4% of worldwide annual turnover for the preceding year; whichever is higher.
Breach of any of the six principles - principles of lawfulness; not getting proper consent; provision of required information where data are collected from the data subject; right of access by data subject; right of rectification; right to be forgotten; data portability; right of objection; and data transfers - attract these potential sanctions.
It is illustrative to note one example of where organisations affected by the Regulation will need to change their practices.
Article 7 sets out the conditions for consent. It states that, where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or her consent at any time.
So now consent has to be active and demonstrable. You can’t assume consent unless you hear to the contrary. This will have a profound effect on how long and the purpose for which an organisation can keep personal data ( both subject to specific articles in the Regulation) and the importance of a continuing review. There will have to be an audit trail showing that consent is still active. If not, sanctions of up to 4% of worldwide turnover could be visited on an undertaking.
The prospective penalties for breach of compliance with the Regulation are so large that preparation for compliance cannot simply be put off. Organisations need to act now to ensure that they are not the ones making the headlines for all of the wrong reasons.
0330 161 1234