After months (and even years) of trepidation over the looming GDPR compliance deadline, the time has finally come.
The GDPR comes into force today and brings with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.
With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO's specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. But how this will all play out in practice remains to be seen.
For those of you still on the compliance journey, there is a wealth of information out there to assist you. In the run up to GDPR-Day, we launched our GDPR campaign to help our clients navigate the GDPR minefield. This campaign centres around our GDPR hub, accessible here, and has included a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:
- The GDPR: the "whole of business" issue at the top of your board agenda
- The rise of the intelligent business: spotlight on employers
- Extending the long arm of the law: Extra-territoriality and the GDPR
- Data use – protecting a critical resource
- Supply Chain Arrangements: The ABC to GDPR Compliance
If you haven't done so already, now is the time to assess your organisation's level of GDPR compliance and act accordingly. Consider your suite of privacy documentation, including privacy policies, data protection impact assessments, and other internal documentation. Put in place appropriate technical and organisational security measures to protect the data you hold and be prepared to act quickly in the event of a data breach. Know and understand the rights that individuals have with respect to the data you hold about them; and be able to respond to those rights should they be exercised. And importantly, make sure everyone within your organisation is aware of the data protection rules and how they impact employees on a day-to-day basis.
Additionally, the GDPR requires organisations to amend their commercial contracts to include GDPR standard contractual clauses, often involving a large task of amending and negotiating third party contracts (known as "re-papering"). Herbert Smith Freehills is uniquely placed to design and implement highly time-efficient, value for money GDPR re-papering projects due to our innovative and market-leading Alternative Legal Services (ALT) capability. You can explore our practical re-papering offering here.
No matter what stage your organisation is currently at in implementing its GDPR strategy, our cross-disciplinary Data Protection, Privacy and Cyber Security practice is able to offer pragmatic, market-leading, cost-efficient solutions to tackle data issues as and when they arise.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2022