Privacy regulations in the EU and the UK have undergone significant changes in the past several years, which affect companies worldwide: the General Data Protection Regulation (GDPR), which came into force in 2018, impacts any company that operates an EU-facing website to market goods or services to EU-based individuals and/or monitors EU-based individuals, e.g., with cookies or other similar technologies. The impacts of the GDPR on companies with an online presence in EU are far-reaching and have required numerous changes to the way businesses handle personal information. After Brexit the UK adopted its own GDPR (UK GDPR) The GDPR and UK GDPR will apply to anyone dealing with people based in the EU member states and the UK.
The GDPR and UK GDPR place significant obligations on businesses including:
- a strict definition of consent, making it difficult to obtain
- significant requirements around profiling, sensitive data handing, data retention and use, which restrict what companies may do with the data they collect and how they store and handle the data they collect
- significant obligations on and liabilities for data processors
- breach notification requirements
- sanctions for failure to comply, which could result in fines of up to 4% of annual turnover or €20 million / £17.5 million (whichever is higher)
GDPR and UK GDPR compliance encompasses more than having correct policies; for many companies, it may affect business operations and require new technology or changes to configurations of existing technology. Becoming and staying GDPR and UK GDPR compliant should be a multi-stakeholder process, involving both internal company resources across the organization and external advisers.
We can help you with GDPR compliance. We have a team of experienced practitioners who understand what it takes to comply with the GDPR in a way that complements your business priorities. If you would like further information on what you should be doing to ensure that you are compliant, please contact us – we are here to help.
Cooley GO
- Introduction to Europe’s General Data Protection Regulation
- GDPR – Do I Need Consent to Process Personal Data?
- GDPR – A Guide for Employers
Other Resources
- GDPR (full text)
- Adopting a Lead Supervisory Authority
- Data Portability
- Data Protection Officers
- GDPR: An opportunity ahead?
- Profiling
- Consent
Thought Leadership
- “GDPR Series: Creating and Reviewing Data Protection Policies Part 1 – Internal Facing Policies” – Privacy & Data Protection Journal
- “Employee ‘Consent’ Under the GDPR” – Thomson Reuters
- “Blockchain Technology May Not be the Best Solution for GDPR Compliance” – CSO
- “The Challenge of Staff ‘Consent’ Under the GDPR” – People Management
Client alerts
- A Dark Time for Data: WHOIS Blackout Period Likely Starting in May
- GDPR: Guidance on Consent Requirements
- GDPR: Ready or Not, Here It Comes…
- GDPR – Do I Need Consent to Process Personal Data?
- GDPR for Employers
- Introduction to Europe’s General Data Protection Regulation
- EU Privacy Q&A – Network and Information Security Directive
- Brexit + Cybersecurity: What You Need to Know
- Brexit + Privacy: What You Need to Know
- Preparing for the GDPR: Advice for Employers
- At Last, Some Real EU Data Protection News: A Welcome Holiday Gift?
Webcast
- GDPR: What you need to know
- GDPR: What you need to know as a venture fund
- GDPR: What you need to know as a life sciences company
- GDPR: What you need to know as an edtech or education driven company or institution