Data Protection Blog

24 January 2018

The £17 million Question - What will the ICO’s enforcement powers be under the GDPR, and how will they be used?

The General Data Protection Regulation (“GDPR”) coming into force in May 2018 empowers national supervisory authorities to issue fines of up to €20 million, or 4% of an organisation’s annual global turnover for certain data protection infringements. These figures have generated headlines and news stories around the globe, many of them misleading. The Information Commissioner, in her post of December last year, warned of ‘scaremongering because of misconceptions’. We seek to put the headline grabbing figures in context, by examining the range of administrative sanctions available to national supervisory authorities for dealing with infringements of GDPR and the criteria they will use when selecting them. In doing so we shed light on how organisations can prepare for, and react to, any data protection infringements to reduce the risk of a heavy fine. 

Fred Allen

15 December 2017

An introduction to contracts between data controllers and data processors under the General Data Protection Regulation

Under the GDPR, when a ‘data controller’ engages a ‘data processor’, the two parties must enter in to a written contract. Article 28 of the GDPR sets out what specific terms, as a minimum, must be included in such contracts. Such terms are required to ensure that the processor complies with the GDPR when processing the personal data in possession of the controller. Article 28 is a new requirement which did not exist under the Data Protection Act 1998 (the “DPA”), meaning that controllers who are currently compliant with the DPA will not necessarily have included these provisions in their processor contracts.

Josephine Burnett

13 December 2017

When is a data controller liable for the criminal acts of a rogue employee?

The acquisition from organisations of large databases of personal data by external parties (usually hackers) is an increasingly modern phenomenon – think Ashley Madison, PlayStation, TalkTalk. Less common, and perhaps of greater concern for employers, is the ‘inside job’ where a trusted employee is responsible for a major breach of data security. The High Court case of Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) has shown that a data controller can be held vicariously liable for the misuse of date by one of its employees even where it has done everything it reasonably can do to prevent such a breach.

28 November 2017

The real impact of the GDPR… new notification obligations

To date, GDPR headlines have mainly focused on the threat of heavy fines. However, the Information Commissioner’s Office (the ‘ICO’) has made it clear that issuing fines has always been, and will continue to be under the GDPR, a last resort. Rather, the most immediate impact of the GDPR following a data breach is the new obligation under Article 29 to notify both the ICO and those individual data subjects affected by data breaches. These individuals are most likely to be the clients, customers, suppliers and other contacts upon which your organisation relies and, following any significant data breach, notification may lead to that breach becoming public. 

Josephine Burnett

21 November 2017

An introduction to Data Protection Officers under the GDPR: Should you appoint one?

There is currently no legal requirement for companies to appoint a dedicated officer responsible for data protection; the Information Commissioner’s Office merely encourages this as good practice.  However, this will change when the General Data Protection Regulation (“GDPR”) comes into force in May 2018 and introduces a requirement for certain organisations to appoint a Data Protection Officer (“DPO”).

Kirsty Churm

Skip to content Home About Us Insights Services Contact Accessibility