Handle with care

What we say - Article


Handle with care


The regulations for handling and protecting personal data are being reformed - Debbie Venn from asb law explains the changes.


Given the technological advances that have taken place since the introduction of the Data Protection Act nearly 20 years ago, reform of data protection legislation is somewhat overdue.  The General Data Protection Regulations (GDPRs) have been adopted by the European Parliament and as a result, will become law in the UK on 25 May 2018.


The GDPRs impose a vast number of new obligations on both data controllers and data processors and seek to evolve and harmonise the approach to data protection throughout the European Union (EU). 


This will be particularly important for travel businesses where there is a lot of personal and sensitive data being processed, both inside and outside of the EU.


But what about Brexit?


The Government has confirmed that as the United Kingdom will still be a member of the EU in May 2018, the UK will adopt the GDPRs as any other member would.  This does not mean that the UK won’t amend data protection legislation following Brexit (although substantive change is unlikely), but it does mean that the GDPRs will become law in the UK as from 25 May 2018. 


What are the key provisions of GDPRs?


The GDPRs will apply to all businesses that monitor behaviours or provide goods or services to individual residents in the EU.  The GDPRs change a number of key areas of data protection legislation, including:

  • Consent - the consent required by data subjects under the GDPRs must be clear, affirmative, unambiguous and freely given to ensure that data subjects are aware of the legal basis for which the processing of their data is taking place. Consent should not be provided through pre-ticked boxes, and more transparency is required.
  • Data Processors – for the first time, obligations will be imposed directly on data processors. This includes obligations regarding accountability, breach reporting, record keeping and the transfer of data.
  • Accountability – the GDPRs impose more obligations on data controllers to be accountable, with the introduction of compulsory appointments of Data Protection Officers (where large scale monitoring or processing is taking place), Data Protection Impact Assessments and Data Protection by Design.
  • Children – specific provisions regarding children and the need for reasonable efforts to be taken to verify consent in relation to children will be introduced.
  • Individual rights – the timelines, process and exemptions in relation to subject access requests will change and new protections are to be introduced including, the right to be forgotten, the introduction of data portability and new profiling measures.
  • Breach notification obligations – data processors are obligated to notify any breach they become aware of to the data controller, and the data controller is obligated to report any breach they become aware of to the regulator (and in some cases the individuals concerned)  within 72 hours of the breach arising.

What are the implications for non-compliance?


In addition to the bad publicity and reputational damage, the GDPRs introduce significant fines for non-compliance. The fines adopt a two-tiered approach with the first tier for less serious breaches (such as failure to keep the records) being up to 2% of the business’s global annual turnover or €10 Million (whichever the greater), and the second tier for more serious breaches (such as data transfers) being up to 4% of business’s global annual turnover or €20 Million (whichever the greater). These fines are huge and businesses should take compliance seriously. 


How can businesses start to get ready?


Businesses need to act now with a pro-active approach to get ready for the GDPRs. Making data protection a priority and budgeting appropriately for the necessary changes is key. Whilst not all of the guidance has been released, businesses should start getting prepared for the GDPRs and can do this by:

  • creating awareness regarding the GDPRs and its implications throughout the business, making sure those employees handling personal data such as HR teams and directors, are aware of the new requirements;
  • auditing how personal data is collected, stored and managed, and making sure that the appropriate recording procedures are in place;
  • reviewing technical and organisational measures, including administration and IT processes;
  • reviewing data protection policies in place to ensure the business have the following GDPR compliant policies:
    • privacy policy;
    • data breach policy;
    • data retention and deletion policy;
    • internal data protection policy for staff;
    • subject access request policy.

The GDPRs will impose a number of new obligations on businesses with robust enforcement from May 2018. They also present a great opportunity to review and assess your approach to data protection and compliance.


The full article Handle with Care was published in the April edition of Travel Trade Gazette.

Debbie Venn, Partner, Head of TMT, CommercialFor further guidance, please contact Debbie Venn, Partner and Head of Technology, Media and Telecommunications.

View Debbie's profile email Debbie now 

Published: 6 Apr 2017

Subscribe to all articles and news: