New data regulations mean it’s no longer business as usual

Watkins and Gunn, with offices in Newport, Cardiff and Pontypool, is cautioning business owners that the law will impose major changes to the day-to-day operations of companies.

Data breaches will now be approached with far more severity when GDPR is introduced, with punitive measures including soaring fines becoming a possibility.

In the UK, organisations are currently required to comply with the Data Protection Act 1998, but this is due to be superseded by new regulations.

The new GDPR regulations, which have been developed over the past four years, will be enforced in May. The regulations aim to tackle data exploitation, giving individuals more power over their information.

The changes due to take effect include:

• Individuals having greater control over their personal data including the ‘right to be forgotten’ and the right to have their data transferred

• In certain circumstances an organisation will have to appoint a data protection officer

• Organisations will have to report breaches to the Information Commissioner’s Office (ICO) within 72 hours

• There will be stricter rules on obtaining individual’s consent on how their personal data can be used, including use for marketing

• Higher penalties will be imposed on those who breach data protection regulations.

Faris Dean, head of business at Watkins and Gunn, said: “Due to the substantial changes on the horizon, it would be wise not to consider these matters as ‘business as usual’. It’s worth putting necessary procedures in place now, so that your business is well placed to manage the changes as soon as they come into force.”

Mr Dean also advises that a head start on implementing the changes demonstrates to the ICO that your business is taking the regulations seriously.

He said: “This should minimise the risk of a breach occurring in the first place, but should this happen, it may reduce the possible penalty.”

There also needs to be an administrative approach when complying with GDPR. Some of the matters an organisation may want to consider are:

• Understanding what personal data is held by the organisation and how it is used within the organisation

• Allocating responsibility within the organisation for the implementation and safeguarding of personal data

• Cleansing an organisation’s existing personal data to remove any excess data with no legitimate reason for holding on to it

• Having proper systems in place for safeguarding personal data and for reporting breaches to the ICO

• Ensuring a commitment from senior management and training of staff on the new GDPR

• Reviewing the internal privacy policy and the privacy and cookies policy on the website (external policy)

• Reviewing an organisation’s legal agreements with other entities to ensure there are proper provisions for safeguarding and dealing with personal data.

Mr Dean said: “These are just some of the considerations which an organisation should be turning its attention to immediately. You may want to engage external advisors with GDPR knowledge to help navigate this fairly complex area of law with as much confidence as possible.”

Watkins and Gunn offers a wide range of legal services including accident claims, medical negligence, wills and probate, employment law, education law, public law, business law, divorce and family law, childcare law, criminal law, road traffic law and property.