The GDPR legislation

The GDPR legislation is designed to “harmonise” data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information, which I will go into in some depth later on.

After more than four years of discussion and negotiation, both the European Parliament and the European Council adopted GDPR in April 2016. The underpinning regulation and directive were published at the end of that month. After publication of GDPR in the EU Official Journal in May 2016, it will come into force on May 25,2018. The two year preparation period has given businesses and public bodies covered by the regulation to prepare for the changes. There will be no GDPR transition period after May 2018, we are in it now!

GDPR is not a pointless, mindless piece of legislation, which a company has to focus on for the next few months and can then forget. It is a fundamental change in the balance of power between a company and its customers, suppliers, employees or anyone else it trades with or holds personal data on.

This is not only a shift in power, it also comes with onerous data breach notification requirements and new rights for the ‘data subject’, which for example, allow them to withdraw consent at any time, does away with opt-out consent, expands a data-subject’s right of access to the data which a company has on them to include all data files, emails, letters, pieces of paper, scanned images and also gives them the rights of data portability and to request not to be profiled (think of this from your marketing and data analytics perspective).

Subject Access Requests will now become free, spawning a whole new industry looking to make money off the next quick scam and will also have a massively shortened turn around timescale. The concept of personal data is expanded to include electronic identifiers such as IP addresses, cookies and a lot more. Profiling and automated decision making will have to be justified under legal necessity for provision of a service or the company will have to show that there is legitimate interest and justification for their use (such as in marketing). If automated decision-making is in use then the data-subject has the right to a manual review of the outcome of this process (the outcome can be the same but there has to be a manual review).

Our uniquely collaborative and passionate people work alongside our clients every step of the way—caring more, telling it like it is—to anticipate and overcome all the barriers to change.

Our Services
Our GDPR implementation and compliance services

Considering the high sanctions and the limited time that businesses have to ensure that all legal and technical aspects are covered, it is important to pick the right professional partner. Our international legal and corporate advisors are ready to help you identify how GDPR impacts your company and support you in the following areas:

  • Overall revision of your current personal data processing, including follow-up analysis
  • Preparation of internal guidelines, working procedures and manuals, employee’s accord for data processing
  • Revision and adjustment of the appropriate contractual relationship with the persons involved in processing, including subscribers and other business partners
  • Analysis of whether it is required to carry out an impact assessment on the protection of personal data and any follow-up support in the process, as well as when dealing with a supervisor, with whom the results of the assessment should be consulted
  • Other services according to your specific needs and requirements

Remember: we use the follow phrase.. Privacy from Cost to Resource . We do it since the 2000..