Adviser spoke to Jon Bloor , Corporate Commercial Partner at Ellisons Solicitors, to discuss the upcoming General Data Protection Regulations and how they will effect businesses of all shapes and sizes.
Does that mean that all business will have to go through their databases and get fresh consent for all marketing communications? Unfortunately in some cases the answer to this could be “yes”. Where you rely on consent of the data subject for processing of their data the GDPR requirement is that must be a freely given, specific, informed and unambiguous and based on some clear affirmative action (i.e. an opt-in). In particular, consent can’t be granted by silence, pre-filled boxes or inactivity or in a general set of terms of conditions accepted by the user. You will need to be able to provide evidence of how and when consent was obtained. The GDPR doesn’t automatically require businesses to obtain fresh consents, but if you can’t produce evidence that the individuals on your mailing list have given consent which meets the above requirements then you may need to obtain fresh consents in order to continue processing their data for marketing purposes.
What happens if businesses in the UK don’t comply with GDPR? Will they be faced with fines? The headline position, which has been heavily reported, is that the most serious breaches of the GDPR could give rise to a fine of either up to 40% of your annual turnover or up to €20,000,000, whichever is higher. However, it’s worth bearing in mind that the largest fine issued by the Information Commissioner under the existing legislation is already £350,000, so the consequences for businesses of not taking their data protection obligations seriously can already be severe. The Information Commissioners Office (ICO) have already stated that they will take a “proportionate” approach to enforcement under the GDPR, and it’s unlikely that a business which was making genuine efforts to comply with its GDPR obligations would be hit with fines of this scale.
What is GDPR and when will it happen? The new General Data Protection Regulation (GDPR) comes into force on 25 May 2018, which leaves only a few months for businesses to prepare. Larger corporations and public authorities are already taking GDPR seriously; at the time of writing there were well over 1,000 advertised roles across the UK for new Data Protection Officers. For owner-managed businesses and SMEs the picture is rather different. Most clients we talk to are aware that the new regulations are coming in next year, but have not necessarily taken all of the necessary steps to prepare.
8 | S C R U T T O N B L A N D | L E G I S L A T I O N
Made with FlippingBook flipbook maker