Compliant or not: the GDPR is here

The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.

With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.

For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:

  1. The GDPR: the “whole of business” issue at the top of your board agenda
  2. The rise of the intelligent business: spotlight on employers
  3. Extending the long arm of the law: Extra-territoriality and the GDPR
  4. Data use – protecting a critical resource
  5. Supply Chain Arrangements: The ABC to GDPR Compliance

Continue reading

Supply chain arrangements: The ABC to GDPR compliance

With increased outsourcing to the cloud or other third party external service providers and an increasingly complex supply chain for businesses, modern strategies for leveraging data can bring significant business efficiencies, competitive edge and growth opportunities, but also a range of risks that need to be understood and mitigated.

This has been mapped by a rise in the increased relevance of data protection and associated regulation. In the words of the Information Commissioner, the EU General Data Protection Regulation (the “GDPR”) represents an “evolution” rather than a “revolution” in data protection regulation. Whilst existing data protection obligations have certainly been “tightened up” a notch, fundamentally, the current underlying data protection principles remain largely unchanged.

The new EU data protection framework does, however, introduce some key changes that are giving rise to closer scrutiny of the supply chain protections in place between controllers and processors and, in turn, we are seeing a shift in the approach adopted by both parties in negotiating and implementing data processing arrangements.

Continue reading