GDPR

Our GDPR experts are recognised for their expertise in supporting businesses to ensure they are GDPR compliant.

25 May 2018 enforcement date
4% of global revenue or €20m potential fine

On 25 May 2018 the EU’s General Data Protection Regulation (GDPR) came into force, imposing strict new rules on the way in which businesses manage personal data and tougher financial penalties for those who fail to comply. The new sanctions will see organisations receiving fines, depending on the nature and gravity of the breach, of up to €20m or 4% of annual global turnover. TalkTalk’s data breach in 2015, due to their failure to prevent a cyber-attack, resulted in a fine of £400,000 - under the GDPR regime this figure could have been closer to £70 million.

Only 21% of UK organisations consider themselves to be GDPR-ready, despite the data protection law having come into force on 25 May 2018.

The regulations apply to varying degrees to all businesses - from the smallest to the largest and most complex. It impacts not only the relationships with customers, clients and employees, but also on the relationships with third party suppliers of services, contractors and agencies, who themselves may be data processors or data controllers. Businesses will be seeking assurances from their suppliers and contractors that they have measures in place to ensure compliance with the GDPR and undoubtedly will be required to give similar assurances within their own supply chain.

The GDPR recognises that innovations like cloud technology have not only changed the way that data is stored, transferred and used, but have heightened information security risks as data has increasingly become a valuable commodity. The regulation is designed to strengthen the rights individuals have over their data, with transparency and accountability being the key themes running throughout. Data subjects have the ‘right to be forgotten’, and, in certain circumstances, a right to know when their data has been lost or stolen.

GDPR is a global issue. Any company that holds, processes or interacts with personal data on any EU citizen is bound by the legislation.

How we can help

The GDPR is something that cannot be ignored. The regulation is demanding and will continue to present a myriad of issues for businesses.

At Kennedys, our service goes beyond simply advising on the technical aspects of the legislation. We combine our commercial nous and deep knowledge of the business environment, with a practical and hands-on approach, to develop solutions that are aligned to the needs of our clients.

Our lawyers are recognised for their expertise in helping at all stages of the data life cycle, covering:

Assessment and audit: we can help you identify what information you have, where it is stored, and what processes you have for data protection already and whether your organisation is following good data protection practice.
Implementation: what does GDPR mean for your organisation? Has your organisation introduced appropriate technical measures to implement the GDPR?
Compliance: review your policies and assist in producing a comprehensive and effective privacy compliance framework to support your compliance claims.
Training: provide training to all employees of your organisation on the requirements of GDPR and explain how compliance is the responsibility of everyone not just executives or board members.
Security strategy: what steps can be taken to ensure the protection of data and avoid data breaches occurring or minimise their impact.

Our advice is pragmatic, straight-forward and commercially-focused, always with the long-term objectives and health of your business in mind.

Fine information

There are two tiers of fines which exist under the GDPR:

A fine of up to 2% of annual global turnover or €10 million, whichever is the higher. This will generally apply to controller or processor infringements (as opposed to breaches of an individual’s data rights), such as a failure to report a breach within the 72 hour window, implement technical and organisational measures to ensure data protection or maintain written records.
A fine of up to 4% of annual global turnover, or €20 million, whichever is the higher. This will apply to the more serious of infringements, including data breaches which relate to data subjects’ rights and freedoms, failure to comply with a supervisory authority’s investigation, international transfers of data or the basic principles for processing data including conditions for consent.

Global data protection

As a global law firm, our data protection expertise extends far beyond the GDPR. Our lawyers frequently advise on the law governing information management compliance, data loss and data privacy, in multiple jurisdictions. To see the latest guidance on data privacy in Asia Pacific, click below to read our two-part summary which includes:

Our cyber risk expertise

Our global cyber team is located across Europe, Asia Pacific, Latin America, the United States and Bermuda. This allows us to respond swiftly and seamlessly to a cyber event wherever it might be. We have extensive experience across all lines of insurance business affected by cyber risk and advise insurers on:

Coverage issues and silent cyber risk exposures.
Policy drafting and wording.
Reducing exposure to new and unforeseen risks from new technologies.
Data breach and cyber incidents.

Find out more about our cyber risk expertise

Google fined €50 million under GDPR

The French data protection regulator CNIL, has levied a fine of €50 million against technology giant Google for breaches of the GDPR. It is the largest administrative fine issued to date under the GDPR.

GDPR - One month on (June 2018) (PDF, 2.49 MB)

Data Protection Bill briefing (October 2017) (PDF, 79 KB)