13th February 2017
The UK government has confirmed that the new EU General Data Protection Regulation (GDPR) will be enforced, in full, by the UK’s Information Commissioner’s Office. In other words, the UK is ‘copying’ the EU regulation and it is most likely that GDPR will continue to be enforced in the UK, as it currently stands, even after Brexit.
Most organisations now have a dedicated GDPR Compliance Project underway to be ready for the deadline of 25 May 2018, when the new regulations will start being enforced.
There is still uncertainty about how some elements of GDPR compliance need to be applied, especially in ‘business-to-business’ (B2B) organisations. The ePrivacy Directive, the current UK transposition of which permits B2B email marketing on an opt-out basis, is also changing. The draft of the new text has retained the opt-out clause, but it remains to be seen how this will be incorporated into UK law. We anticipate the B2B opt-out for electronic mail marketing to be retained.
Merit takes its data processing responsibilities seriously, and have already implemented many of the controls required by GDPR, including assisting the Data Controller with their obligations through transparency of our operations. We are committed to helping our clients, who act as data controllers, comply with the law. We therefore strongly recommend that all organisations we work with do the following as soon as possible – as the very first steps in ensuring GDPR compliance is possible:
In addition to taking all the steps above, we strongly recommend you consult a specialist to review your compliance position and risk around GDPR. Like all compliance issues, organisations need to assess their prosecution and reputational risk by defining and implementing a strategy to ensure they minimise this risk, or at least take on a level of risk with which they are comfortable.
It is not for Merit to advise you on these legal and risk management matters, so we have compiled a list of specialists and law firms you may wish to approach to advise and support you accordingly*. Demand for these types of services will be very high over the coming months, and we strongly recommend you ensure the specialist individual or team you chose for initial and ongoing support has the necessary knowledge of your B2B business model, as well as understands the differences between how GDPR will apply to B2B versus B2C organisations.
|Company Name||Website Address|
|Allen & Overy||www.allenovery.com|
|Farrer & Co||www.farrer.co.uk|
|iCompli (Merit Partner)||www.icompli.co.uk|
*Please note: Apart from iCompli, who are a Merit partner, Merit is not in a position to specifically recommend an advisory service or law firm and the list provided is listed alphabetically, and in no specific order of preference or priority. There are many more law firms and advisory services that provide the relevant support in this area, so we recommend you make independent investigations as to which one best meets your requirements.