© 2018 by Hansuke Consulting Limited

 

Hansuke Consulting Limited is registered in England and Wales number 10136213 with its registered office at: 71-75 Shelton Street, London WC2H 9JQ. Hansuke Consulting Limited is an accredited and regulated member firm of the Institute of Chartered Accountants in England and Wales (ICAEW).

 

In accordance with the disclosure requirements of the Provision of Services Regulations 2009, our professional indemnity insurer is International General Insurance Co (UK) Limited, of 133 Houndsditch London EC3A 7AH. The territorial coverage is worldwide excluding professional business carried out from an office in the United States of America or Canada and excludes any action for a claim brought in any court in the United States of America or Canada.

What is GDPR?

The General Data Protection Regulation (“GDPR”) is the single most important development in European data law in the last 20 years and will fundamentally change the personal data landscape. Due to its pervasive nature, all EU based companies are expected to fall under the scope of the GDPR.

 

The GDPR introduces an extensive penal regime whereby infringements could result in penalties of up to €20m or up to 4% of annual global turnover, whichever is greater. Organisations must act now or face crippling fines, reputational damage and loss of business.

If you are unable to answer ‘yes’ to the following, then you are not GDPR complaint:

  • Has the legal basis for processing data been established and documented?

  • Have all personal data repositories been identified and captured in a data inventory?

  • Has the complete data lifecycle of the personal data been mapped, covering data attainment, consent and its disposal?

  • Have steps been taken to implement technical and organisational controls to protect personal data e.g. encryption, pseudonymisation, ability to restore availability and access to personal data?

  • Are there mechanisms to report a data breach within 72 hours, and to respond to a Subject Access Request (“SAR”) within 30 days?

  • Are procedures in place to facilitate data portability and execute the right to be forgotten?

  • Has a Data Protection Officer (“DPO”) been appointed, if applicable?

  • Do contracts with third party data processors comply with the GDPR?

 

All organisations, irrespective of size, handle personal data (referred to as “Personally Identifiable Information” or “PII”). Personal data are used to carry out fundamental corporate functions such as background checks on prospective customers, running employee payroll and marketing to prospects. The GDPR will provide individuals the assurance that their personal data are obtained, handled and processed in a fair, accurate and secure manner.

 

The GDPR came into force on 25th May 2018 and superseded the UK Data Protection Act 1998 (“DPA”). The major purpose of GDPR is to strengthen the rights of data subjects. These include, for example, a right to information over the data being processed about them, access to the data in certain circumstances, correction of erroneous data and removal of the personal data. There is a further obligation on the data-controller to take reasonable steps to inform third parties that the data subject has requested erasure of any links to, or copies of, that data. Individuals can also ask to receive their personal data in a structured and commonly used format so that it can easily be transferred to another data controller.

 

Contact our team
+44 (0) 207 816 5488
Download the GDPR Brochure here