Sign in / register

FPC Updates

Latest Events

9:30am - 2:00pm

The New World of Work: The HR event for the future workplace

View Advert (this link will open in a new window)

Getting ready for GDPR

8 October 2017

The General Data Protection Regulation (or GDPR) is an EU law intended to protect the personal data of individuals. It does so by imposing strict rules on how personal data is handled and secured, and provides people with rights that will keep them in control of their data.

From 25 May 2018 the GDPR will replace the UK’s existing data protection regime. It will have worldwide effect and Brexit won’t stop it. It is onerous and, for many organisations, will be their most significant compliance obligation. Failing to prepare for the GDPR could result in large fines, reputational damage, civil claims from individuals, and breaches of contract.

Key changes

The following are a few of the important changes that will have effect from may 2018:

  • Increases to maximum fines - up to €0million or 4% of worldwide turnover (whichever is higher)
  • Consents will need to be opt-in (old consents, e.g. pre-ticked boxes, opt-outs won’t be valid)  
  • Extensive contract requirements which must be met when suppliers or contractors process personal data
  • Compulsory reporting of data breaches and strict time limits for doing so
  • In some cases, a duty to appoint a data protection officer
  • New data subject rights, and changes to the rules for dealing with subject access requests
  • Data processors being directly liable for breaches of the law
  • Strict requiremeents for privacy policies and notices
  • A requirement to carry out privacy impact assessments in some situations

Burdensome though it may seem, the GDPR is also an opportunity to build trust with customers, implement robust information security measures, and improve your organisation's brand and reputation.  Being GDPR compliant is also an asset when marketing your organisation, and can distinguish it from competitors.

Structuring your compliance project

Most compliance projects focus on four key areas:

1. Customer data and marketing

Whether you deal with individual consumers or business customers, your organisation processes personal data.  To do so lawfully, you will need a GDPR compliant privacy policy. Transparency is a fundamental part of the GDPR, and every organisation requires an effective privacy policy. If you are marketing, you will probably need to revisit contacts to get opt-in consent. You also need to be aware of marketing under the GDPR (and the PECR marketing rules).

2. Staff data

Employee personal data is dealt with very differently to customer personal data.  Organisations typically process personal data (some of it sensitive) about staff for a variety of compliance and contractual reasons, and may engage in activities like monitoring.
For such activities to be lawful, there must be a 
staff handbook or privacy policy which meets the GDPR’s requirements. Forms asking employees, agents and job applicants for data may also need to be revised to refer to the privacy policy.

3. Contracts

You will probably need to update the data protection contract clauses in your standard terms, employment contracts, subcontractor agreements etc. These clauses tend to be stand-alone and can usually be dealt with quickly and cost-effectively. Keep in mind that contracts entered into now, which are still effective next May, should be GDPR compliant.
Your organisation will also need 
a data processing contract for when you engage others to process data on your behalf (eg your payroll provider).

If your services involve personal data processing, your customers will increasingly insist on having a GDPR compliant contract in place.  Equally you should have your own (pro-supplier) processing terms.  If you can't offer these, you may have to sign up to the customer's terms, which are likely to be more onerous and include warrantiies and indemnities etc.
Lastly, you'll probably need a 
data sharing contract for when you share data with other controllers (eg pension providers).

4. Security, risk management and operations

The GDPR's security requirements can be onerous.  You need to ensure your supply chain is secure, and in case the worst should happen, have in place a data security incident management policyYou may also need to appoint a data protection officer, and be aware of how to carry out privacy impact assessments.

Another consideration is data cleansing, storage and retention periods.

Everything else

There are other areas which may need to be addressed (such as international transfers and data transfer contracts), depending on how your organisation uses data.

You'll also have to update your subject access request templates and put in place procedures to deal with new data subject rights.

When should you begin?

The GDPR became law in May 2016, but it was agreed there would be a two-year transition period before it comes into effect on 25 May 2018 so that organisations can ensure they are compliant. Businesses which market to consumers must act immediately, as they will need time to run opt-in marketing campaigns (which must be done carefully, as businesses have been fined for breaching the existing marketing laws when seeking GDPR opt-in consent).

Businesses are likely start to seeing their customers ask about the GDPR. Being compliant will be asset when marketing your services, and help differentiate you from competitors.

For more information contact GDPR specialists:

Oliver Neil 0845 070 3810 
Mukesh Patel 0845 272 5710

Join the FPC

FPC Linked-in Group

Fresh Live (this link will open in a new window)

Latest FPC Tweets

@Sian Thomas Recipe for Growth, Prosperity and Sustainability - FPC joins forces with UK food and drink industry to get politici…

@FPC Changing weather conditions heaps blight pressure on growers: #Freshtalk

@Nigel Jenney RT @Chris_Bavin: Great night celebrating the fresh produce industry , congratulations to @BevingtonSalads for winnning wholesaler if the ye…

Terms and Conditions | Privacy Policy | Fresh Produce Consortium © 2019