- enhanced documentation to be kept by data controllers
- enhanced Privacy Notices
- more prescriptive rules on what constitutes consent (one of the most used grounds claimed for lawful processing)
- mandatory data breach notification requirement
- enhanced rights for Data Subject (the individuals whose data is being processed)
- new obligations on Data Processors (third parties carrying out processing activities on behalf of the main party) and
- an obligation to appoint dedicated Data Protection Officers for organisations over a particular size or if carrying out systematic processing of certain types of personal data.
- carry out audits or “compliance assessments” of organisations;
- issue enforcement notices orders requiring specific actions to resolve breaches;
- fine organisations for breaches of GDPR;
- issue fixed penalties to organisations for failing to meet specific obligations (e.g. a failure to pay the relevant fee to the ICO); and
- prosecuting criminal offences before the courts.
- the attitude and conduct of the individual or organisation concerned suggests an intentional, wilful or negligent approach to compliance or unlawful business or operating model;
- advice, warnings, consultation feedback, conditions or guidance from the ICO has not been followed; and
- any financial (including budgetary) benefits gained or financial losses avoided by the relevant individual or organisation, directly or indirectly.
- the organisation had in place any protective or preventative measures and technology available; or
- if there was early notification by the relevant individual or organisation to the ICO of the breach or issue.
- Privacy Notices (to show individuals what data is held and what is done with it)
- Data Processing Log (an internal management document under Article 30 GDPR showing the processing undertaken and decisions relating to that processing)
- Subject Access request policy (an internal policy for staff detailing how requests from individuals will be dealt with by the organisation and how to respond to a request in a GDPR compliant way)
- Data Retention policies (an internal policy for staff detailing how documents should be kept safely and securely including minimum and maximum (where applicable) durations for keeping documents to demonstrate compliance with various laws including tax and contract law as well as the destruction of documents in a GDPR compliant way)
- Data Processing Agreements (with third parties) – a requirement of the GDPR
- Data Breach Process (an internal policy for staff detailing how breaches of GDPR will be dealt with by the organisation in a GDPR compliant way)
Read our latest blog posts on GDPR, featuring all the latest legal news, analysis and opinion from our expert lawyers.
- By Lawbite Team
- March 26, 2020
Many businesses have needed to adapt and embrace remote working. For many, this can raise new working practices and question how data is managed wi...
- By Lawbite Team
- March 19, 2020
Coronavirus and its spread across borders is a concern for employers and employees. While employers will be concerned to ensure their business’ con...
- By Lawbite Team
- January 30, 2020
The ICO has published a statement on GDPR compliance after 31 January 2020 (the day that the UK leaves the European Union). There are no big surp...
LawBite can help you
LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.
Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.