Clarkslegal LLP - Solicitors in Reading and London

Legal Updates

Getting Ready for GDPR: Key Points

10 April 2018 #Commercial #Data Protection


Admittedly, the General Data Protection Regulation (GDPR) may not be the most exciting piece of legislation… however, with just over six weeks until it comes into force, the time for ensuring you are fully compliant is NOW!

Am I Affected?

If you process data about individuals from any EU member state, you must comply with the GDPR. The GDPR applies to businesses of any size (including SMEs) and applies whether you contract with other businesses, directly with clients or both.

The definition of “processing” is extremely wide: it is very difficult to see any activity which would not be considered processing. For example, processing includes collecting, storing, disclosing, altering, combining and destroying data.

Grounds to Process Personal Data

The GDPR requires you to have “legitimate grounds” for collecting and using personal data.

The main grounds for processing are:

  • consent has been given, or
  • the processing is necessary to in relation to a contract with the individual, or
  • the processing is necessary because of a legal obligation, or
  • there are legitimate Interests in processing the data.

Privacy Notices

Note that you must still include the “legitimate interests” you intend to rely upon in your Privacy Notice. The Privacy Notice must be readily available and should clearly state:

  • the legal basis for processing data,
  • the legitimate interests relied upon (if any),
  • how long you will retain the personal data,
  • who the personal data may be shared with,
  • that the individual has the right to request deletion of its personal data; and
  • that the individual has the right to complain to the ICO.

Click here for an example of the GDPR in action.

Marketing Material and Consents

It is likely that you will need an individual’s explicit, positive consent before you can send any marketing or product information to their email address, phone or by personal address.

The GDPR is retrospective, so you may need to get consent again, in a manner which is fully compliant with the GDPR.

Where your business receives referrals of potential clients, you will need to get explicit consent before sending out marketing material. Essentially, you should email the potential client and explain who referred them to you and ask them whether they wish to receive some information about your business offerings.

Demonstrating Compliance

The GDPR requires you to be able to demonstrate compliance. This means that you must keep a record of all consents received or the ground(s) on which you process personal data. You must also keep a record of how long you will retain personal data. If you have over 250 employees or process sensitive data, you must also record all your processing activities.

Third Parties

If you outsource any functions or work to a third party, you must include the details of these third parties and the personal data you may share with them in your Privacy Notice.

As you are ultimately liable for safeguarding any personal data you share with third parties, it is crucial you ensure third parties also comply with the GDPR and you protect yourself with appropriate contractual provisions to minimise your exposure.

Company Records

You will not need consent for any personal data required by law from directors and shareholders (for example directors’ names and DOBs which must be submitted to Companies House). However, you may wish to include a sentence in your Privacy Notice to explain this.

Where you also obtain personal data not required by law (for example shareholders’ email addresses), you may also wish to explain your legitimate interest in retaining this additional personal data in your Privacy Notice.

As with all personal data, the key thing is ensuring you have proper protections and processes in place to protect individuals’ personal data.

Clarkslegal, specialist Commercial lawyers in London, Reading and throughout the Thames Valley.
For further information about this or any other Commercial matter please contact Clarkslegal's commercial team by email at contact@clarkslegal.com by telephone 020 7539 8000 (London office), 0118 958 5321 (Reading office) or by completing the form on this page.

Read more articles

Martha Craven

Martha Craven
Trainee Solicitor

E: MCraven@clarkslegal.com
T: 0118 960 4679
M: 07748638845

Contact

Commercial team
+44 (0)118 958 5321