GDPR - General Data Protection Regulation Contact

General Data Protection Regulation

The GDPR (General Data Protection Regulation) is one of the most impactful and substantial pieces of legislation to affect data since the Data Protection Act of 1998. The aim of GDPR is to allow individuals more control over their data, how it is being used, where it is being stored and what companies are able to do with that information. It places the power back in the hands of the consumer as they will also have to give their express consent about what purposes data can be used for when they sign up for newsletters and services.

Contact Us
DAYS
HOURS
MINUTES
SECONDS

What is GDPR?

GDPR will replace the Data Protection Directive that was designed to harmonise data privacy laws across Europe, with the aim to protect and empower all citizens and to change how organisation approach data privacy.

To further understand the impact of GDPR legislation, we can break it down into the following areas:

  • Penalties
  • Consent
  • Data Subject Rights
  • Breach notifications
  • Right to Access
  • Right to be Forgotten
  • Data Portability
  • Privacy by Design
  • Data Protection Officers

GDPR will have a profound impact on all businesses, ranging from large organisations to smaller organisations of less than 10 staff. If a company is handling data, or information regarding citizens in the European Union, they will be legally bound to the laws and procedures outlined within GDPR regardless of the country they based their business or originate.

If you wish to find out more about GDPR, explore the options below to learn how you can prepare for the coming legislation, and the impact these areas will have on your business if you are not GDPR compliant.

GDPR will have a profound impact on all businesses, ranging from large organisations to smaller organisations of less than 10 staff. If a company is handling data, or information regarding citizens in the European Union, they will be legally bound to the laws and procedures outlined within GDPR regardless of the country they based their business or originate.
If you wish to find out more about GDPR, explore the options below to learn how you can prepare for the coming legislation, and the impact these areas will have on your business if you are not GDPR compliant.

For more information regarding GDPR regulation, visits https://www.eugdpr.org/. The information Reflect Digital provide is not legal advice, and if you have any legal questions, please get in contact with a legal professional.

  • GDPR Penalties

  • Consent under GDPR

  • Data Subject Rights

  • Breach Notifications

  • Right to Access

Under the new GDPR legislation, organisations that are found to be in breach of GDPR can face fines ranging from:

  • 2% of annual turnover or €10 million (whichever is greater) for minor breaches and infringements

OR

  • 4% of annual turnover or €20 million for serious breaches and infringements.


This is applicable to businesses of any size and scope that handle personal data, and the maximum fine that is appropriate to that business will be applied.

One of the major changes to data privacy under GDPR is the explicitness of consent that is now required for businesses to obtain from their customers. This means that customer will no longer be able to use confusing legalese in their terms and conditions, or around the checkboxes for signup forms. 


Businesses must deliver a request for consent in an intelligible and easily accessible form with the intended use of that data being clearly stated within the form. For example, if a client signs up to your newsletter to hear about company news, you would not be able to send them marketing information unless they had also explicitly given their consent to be contacted for marketing queries.


Finally, businesses must also account for customers wishing to withdraw their consent just as easily as they give it. From that point, businesses must cease contacting that individual.

GDPR has increased the rights of data subjects substantially, and now places responsibility on the business that is holding an individuals’ data to inform them if their data has been breached, and to protect the data that they hold on individuals to the best of their ability.

Breach notifications under GDPR will become mandatory for all member states where a breach in data will result in a risk to the “rights and freedoms of individuals”. Companies will now have 72 hours to report the data breach after first becoming aware of it.


If your business is a data controller, they will be required to notify their customers and the controllers without undue delay after becoming aware of the data breach.

Data subjects will be able to request and access any data that a company is holding on them and to find out if that data is being processed or not, where it s being held, and, for what purpose. In addition to this, data subjects may also request a copy of their personal data to be provided. The responsibility is then put on the company to provide this data free of charge, and, in an electronic format. 

  • Right to be Forgotten

  • Data Portability

  • Privacy by Design

  • Data Protection Officers

As data subjects will able to access their data in a more streamlined manner, data subjects will also gain increased rights in their “right to be forgotten”, otherwise known as “data erasure”. This means a company will have to erase the personal data that they are holding on that data subject and to cease any further processing of that data.


The only reason a “right to be forgotten” request may not be completed by a company would be if that data is required to be processed to fulfil the “public interest in the availability of data”, for example, criminal records.

Data Portability is a new right that will be introduced under GDPR, and is the requirement that a data subject will be able to receive personal data concerning them in a commonly used and machine-readable format. Users will then have the right to transfer or transmit this data to another controller or company.

Privacy by Design is an older concept when designing computer networks, however, it is now becoming core to the legal requirement of GDPR. Privacy by design puts the responsibility on the company to take the “appropriate technical and organisational measures in an effective way to meet the requirements and to protect the rights of data subjects”.

Some of these features include the pseudonymising or encryption of data, limiting access to data only to the people that need it, and to only hold and process the data necessary for the completion of the task. An example of this would-be users signing up to a Christmas newsletter. Once Christmas has passed there would no longer be a need for a controller or company to hold this information.

Data Protection Officers have been the cause of some confusion amongst companies looking to prepare for GDPR. A company will only need a Data Protection Officer (DPO) if they have core activities that include:

  • Regular and systematic monitoring of data subject on a large scale

OR

  • Process data in relation to special categories of data, or data relating to criminal convictions and offences.

Under the GDPR, appointing a Data Protection Officer can also be a complicated task, however, a company should appoint a Data Protection Officer on the basis of a candidate’s professional qualities, as well as having an expert knowledge on data protection law and practices.


A Data Protection Officer can be a staff member or an external provider, however, regardless of this a Data Protection Officer will need the following:

  • Their contact details must be provided to the relevant Data Protection Authority
  •  Must be provided with appropriate resources to carry out their tasks and maintain their knowledge
  • Report directly to the highest level of management
  • Must NOT carry out additional tasks that could result in a conflict of interest.

If a company does not need a Data Protection Officer, it is important that this is documented. It is also recommended that a person within the organisation is designated as a “data privacy officer”, however, it is important that the title this person carries is not “Data Protection Officer” as this will make them liable to GDPR regulations on the conduct of a Data Protection Officer.

GDPR Penalties

Under the new GDPR legislation, organisations that are found to be in breach of GDPR can face fines ranging from:

  • 2% of annual turnover or €10 million (whichever is greater) for minor breaches and infringements

OR

  • 4% of annual turnover or €20 million for serious breaches and infringements.


This is applicable to businesses of any size and scope that handle personal data, and the maximum fine that is appropriate to that business will be applied.

Consent under GDPR

One of the major changes to data privacy under GDPR is the explicitness of consent that is now required for businesses to obtain from their customers. This means that customer will no longer be able to use confusing legalese in their terms and conditions, or around the checkboxes for signup forms. 


Businesses must deliver a request for consent in an intelligible and easily accessible form with the intended use of that data being clearly stated within the form. For example, if a client signs up to your newsletter to hear about company news, you would not be able to send them marketing information unless they had also explicitly given their consent to be contacted for marketing queries.


Finally, businesses must also account for customers wishing to withdraw their consent just as easily as they give it. From that point, businesses must cease contacting that individual.

Data Subject Rights

GDPR has increased the rights of data subjects substantially, and now places responsibility on the business that is holding an individuals’ data to inform them if their data has been breached, and to protect the data that they hold on individuals to the best of their ability.

Breach Notifications

Breach notifications under GDPR will become mandatory for all member states where a breach in data will result in a risk to the “rights and freedoms of individuals”. Companies will now have 72 hours to report the data breach after first becoming aware of it.


If your business is a data controller, they will be required to notify their customers and the controllers without undue delay after becoming aware of the data breach.

Right to Access

Data subjects will be able to request and access any data that a company is holding on them and to find out if that data is being processed or not, where it s being held, and, for what purpose. In addition to this, data subjects may also request a copy of their personal data to be provided. The responsibility is then put on the company to provide this data free of charge, and, in an electronic format. 

Right to be Forgotten

As data subjects will able to access their data in a more streamlined manner, data subjects will also gain increased rights in their “right to be forgotten”, otherwise known as “data erasure”. This means a company will have to erase the personal data that they are holding on that data subject and to cease any further processing of that data.


The only reason a “right to be forgotten” request may not be completed by a company would be if that data is required to be processed to fulfil the “public interest in the availability of data”, for example, criminal records.

Data Portability

Data Portability is a new right that will be introduced under GDPR, and is the requirement that a data subject will be able to receive personal data concerning them in a commonly used and machine-readable format. Users will then have the right to transfer or transmit this data to another controller or company.

Privacy by Design

Privacy by Design is an older concept when designing computer networks, however, it is now becoming core to the legal requirement of GDPR. Privacy by design puts the responsibility on the company to take the “appropriate technical and organisational measures in an effective way to meet the requirements and to protect the rights of data subjects”.

Some of these features include the pseudonymising or encryption of data, limiting access to data only to the people that need it, and to only hold and process the data necessary for the completion of the task. An example of this would-be users signing up to a Christmas newsletter. Once Christmas has passed there would no longer be a need for a controller or company to hold this information.

Data Protection Officers

Data Protection Officers have been the cause of some confusion amongst companies looking to prepare for GDPR. A company will only need a Data Protection Officer (DPO) if they have core activities that include:

  • Regular and systematic monitoring of data subject on a large scale

OR

  • Process data in relation to special categories of data, or data relating to criminal convictions and offences.

Under the GDPR, appointing a Data Protection Officer can also be a complicated task, however, a company should appoint a Data Protection Officer on the basis of a candidate’s professional qualities, as well as having an expert knowledge on data protection law and practices.


A Data Protection Officer can be a staff member or an external provider, however, regardless of this a Data Protection Officer will need the following:

  • Their contact details must be provided to the relevant Data Protection Authority
  •  Must be provided with appropriate resources to carry out their tasks and maintain their knowledge
  • Report directly to the highest level of management
  • Must NOT carry out additional tasks that could result in a conflict of interest.

If a company does not need a Data Protection Officer, it is important that this is documented. It is also recommended that a person within the organisation is designated as a “data privacy officer”, however, it is important that the title this person carries is not “Data Protection Officer” as this will make them liable to GDPR regulations on the conduct of a Data Protection Officer.

Things to consider

Coffe
Pencil
Marketing Plan
Reflect Pen
Magnifying
Pink Donut
Jelly Beans
Coffee
Choc Donut
Pencil
Pink Donut
Mag Glass
iPhone
Marketing Plan
Reflect Pen
BonBon
BonBon
Gummy Bear
Jelly Coke
Gummy Bear
Yellow Jelly Bean
Red Jelly Bean
Red Jelly Bean
Yellow Jelly Bean
Jelly Coke
Yellow Jelly Bean
Jelly Coke
Jelly Coke

Data Audit

Document your data streams to discover what data you hold, where it came from, and who you share it with. Ensuring data is encrypted and secure, and that you can create an information audit across the organisations you work with.

Consent

Review how you are obtaining, recording and managing consent. Ensure forms on your website are GDPR compliant and consent options are written in plain English and easy to understand for a user.  If you are not currently recording consent, begin a campaign to reengage consumers to gain consent.

Privacy Documents

Review your current privacy information and data protection regulations so you can amend them in time to be in-line with GDPR recommendations. Remember, information such as data retention periods, why you are processing data and their rights to complain to ICO if they think there is a problem.

Data Access Procedures

Check your procedures to ensure you can handle a variety of data access requests. Under GDPR you are required to allow users the ability to: modify data, remove their data, terminate processing of data and to access their data in an easy to read format.

Staff Training

Train your staff in the new processes and procedures and ensure they understand why the changes are occurring. Data breaches can occur when staff members look for shortcuts to complete long tasks. Under GDPR if breaches are found due to breaking procedure you are liable for a large fine.

Speak to our digital experts today!

Contact our experts

Not sure who to contact? Fill out the form below and one of our marketing experts will get back to you