GDPR & Cyber Security

Key changes under the GDPR affect almost all businesses. The rights of EU citizens to control their personal details have been enhanced and new unified obligations have been placed on those dealing with personal data. However, this is not the end of the compliance journey for organisations, and they must act now to ensure they fully comply with the new rules.

The law concerning the use of technology to conduct criminal activity has also developed greatly in recent years in response to the volume of crimes involving technology. The law concerning cyber security is evolving into a very sophisticated framework of rules and regulations, which can be difficult to navigate without a specialist solicitor. MacRoberts has experience in assisting clients across a number of sectors in dealing with cyber security.

Key changes under the GDPR affect almost all businesses. The rights of EU citizens to control their personal details have been enhanced and new unified obligations have been placed on those dealing with personal data. However, this is not the end of the compliance journey for organisations, and they must act now to ensure they fully comply with the new rules.

Previous data protection legislation (the Data Protection Act 1998 in the UK) was based on the Data Protection Directive of 1995 (the 1995 Directive) which set out key legal principles for dealing with personal data. For the past 15 to 20 years these principles have been adopted in national legislation throughout the EU Member States in different ways resulting in a disjointed approach to data protection in Europe. The GDPR replaced the 1995 Directive and is directly applicable in every EU Member State. This means there is now a single set of rules to avoid contradictory approaches across the EU.
What does the EU General Data Protection Regulation (GDPR) mean for businesses?

New obligations for data processors

Under the GDPR both data controllers and data processors can be responsible for data protection compliance. This means not only the owners of personal data are responsible for meeting the requirements of the GDPR, but those holding or using that data (such as external marketing or IT suppliers) also have new responsibilities.

Affirmative consent requirements for processing

One of the key principles for processing data is that the procedure must be fair and lawful. The bases on which data is processed are a key area of reform. The previous rules were often interpreted too widely by data controllers. One basis for fair and lawful processing is gaining the individual’s consent. Under previous legislation, practice arose in many industries whereby consent was implied by the actions or inactions of the data subject. Under the GDPR this practice is no longer accepted. Consent must be freely-given, specific, informed and unambiguous.

Privacy by design obligations

Organisations are obliged under the GDPR to adopt an approach that promotes privacy and data protection compliance from the outset. All businesses in high risk situations should consider carrying out Data Protection Privacy Impact Assessments.

Potential fines for security breaches

The GDPR introduced stronger enforcement action where there is a breach of the data protection rules, including fines of up to 4% of an organisation’s turnover. Enforcement action is unified across the EU with each national supervisory authority authorised to take action.

Enhanced rights of data subjects

The rights of individuals in relation to their personal data have been enhanced under the GDPR. This impacts on the information which should be included in privacy policies and procedures and the way in which data subject access requests from individuals should be handled.

Appointment of Data Protection officers

A properly equipped Data Protection Officer (DPO) can prove invaluable to an organisation dealing with vast amounts of data. The GDPR requires certain organisations to appoint a DPO to oversee compliance with data protection due to their size or business operations. This is a new requirement for those dealing with personal data in the UK although other EU Member States already require some organisations to have a DPO in place.

International reach

The GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and the GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.
Does your business comply with the EU General Data Protection Regulation?

Although the 25 May 2018 deadline has passed, this is not the end of the compliance journey for organisations. Initial preparation was made easier for businesses by the introduction of a 12 step checklist by the Information Commissioner’s Office (the ICO), which we have detailed here. This checklist highlights and codifies the essential steps for businesses to take in order to prepare for the GDPR.

The 12 Steps Checklist

Step 1 - Awareness

GDPR change: The GDPR will significantly amend current data protection law. Not everyone within an organisation will be aware of this.

Action to be taken: Make the GDPR reforms known to key people in the business (e.g. those with supervisory or decision making powers), and make them aware of the effects of such reforms.

Step 2 – Information you hold

GDPR change: If a business has shared inaccurate personal data with another organisation, the GDPR requires that the business notify that other organisation of the inaccuracy. As part of the new accountability principle, businesses will also have to be able to show how they comply with the data protection principles.

Action to be taken: Businesses should consider undergoing an information audit which documents the personal data held by them, the source of such data and details of with whom they share the data.

Step 3 – Communicating privacy information

GDPR change: Additional information must be given to individuals when their personal data is obtained.

Action to be taken: Review current privacy notices/policies and identify those areas which will require updating to ensure compliance with the GDPR.

Step 4 – Individuals’ rights

GDPR change: Individuals will have enhanced rights to:-
- access their information;
- have inaccuracies corrected;
- have information erased;
- prevent direct marketing;
- prevent automated decision making and profiling;
- data portability.
Step 5 – Subject access requests

Action to be taken: Review and update current procedures for handling subject access requests.GDPR change: The legal basis for processing will need to be explained in privacy notices and when responding to subject access requests. The rights afforded to individuals will vary depending on the legal basis for data processing.

Step 6 – Legal basis for processing personal data

GDPR change: Current rules for subject access requests are changing – timescales for compliance will be reduced, fees will generally no longer be chargeable and additional information will require to be provided to individuals e.g. about data retention periods and the right to have inaccuracies corrected.

Action to be taken: Review privacy/data protection procedures and policies to ensure that they provide for each enhanced right under the GDPR.

Step 7 – Consent

The GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and the GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.

Step 8 – Children action to be taken

Create and implement new practices for (i) verifying the age of individuals and (ii) obtaining parental or guardian consent when processing the data of children.

GDPR change: The GDPR widens the number of businesses obliged to notify the ICO and private individuals of data breaches. Failure to comply with this obligation may lead to significant fines by the ICO.

Step 9 – Data breaches

GDPR change: Parental or guardian consent must be obtained to process personal information of children (i.e. those under 13 in the UK). Consent must be verifiable and written in child friendly language.

The GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and the GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.

Action to be taken: Review the data processing done by the business and then identify and document the legal basis for processing.

Step 10 - Data protection by design and data protection impact assessments

Action to be taken: Know when DPIAs should be used, who should be involved and the process to be adopted. GDPR change: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance.

Step 11 – Data protection officers

GDPR change: Organisations must adopt ‘privacy by design’ (i.e. an approach that promotes privacy and data protection compliance from the outset). Organisations should also carry out a Data Protection Impact Assessment (“DPIA”) in high-risk situations. If processing is high risk, the ICO should be consulted on whether processing complies with the GDPR.

Action to be taken: Ensure that there are procedures in place to detect, investigate and report on personal data breaches. The ICO suggests assessing the types of data held and documenting which ones would trigger notification in the event of a breach.

Step 12 – International

Action to be taken: If operating internationally, determine which data protection supervisory authority will be the lead supervisory authority for the business. If the organisation is complex with decisions regarding data processing activities being made in different places, the ICO recommends that businesses map out where the most significant decisions are made to determine the main establishments and then the lead supervisory authority.

GDPR change: The GDPR creates a system for determining which data protection supervisory authority takes the lead when investigating a complaint which is international in nature.

Action to be taken: Where required, identify and designate a Data Protection Officer – this can be someone within or outside the organisation. This will be an important role for the organisation in terms of ensuring compliance with the GDPR. Select someone who has suitable experience.
The law concerning the use of technology to conduct criminal activity has developed greatly in recent years in response to the volume of crimes involving technology.

The law concerning cyber security is evolving into a very sophisticated framework of rules and regulations, which can be difficult to navigate without a specialist solicitor. MacRoberts has experience in assisting clients with cyber security.

Cyber crime is any kind of criminal activity that is committed with the use of a computer. This makes cyber crime and cyber security a vast area of law, with greatly varying offences, including hacking, fraud, harassment and espionage. Cyber crime and cyber security are not limited by borders, and investigation of such offences may involve a number of international agencies. The main regulator of cyber crime in the UK is is the National Cyber Crime Unit of the National Crime Agency. This agency investigates, prosecutes and polices instances of cyber crime and breaches of cyber security across the UK.

The main cyber crime offences that we see in relation to corporate offences are:
- Unauthorised access to computer material
- Unauthorised access with intent to commit or facilitate a crime
- Unauthorised modification of computer material
- Making, supplying or obtaining information which can be used in computer misuse offences
These offences are also very broad, and if you are caught at any stage of the process of assisting in cyber crime you may be held liable for committing an offence. The offence of ‘making, supplying or obtaining information which can be used in computer misuse offences’ is designed to catch individuals or organisations which create viruses or spyware designed to be released into a computer network.

The penalties for cyber crime depend on the crime’s severity. Under the Misuse of Computers Act, the lowest offence carries a maximum penalty of six months’ imprisonment in addition to a fine. All other cyber crime offences can attract up to five years in prison and in certain circumstances an unlimited fine.

Cyber crime Legal Advice & Criminal Defence Scotland

Cyber crime is a fast moving area of law under constant review and changing regularly. If you have been affected by cyber crime in any way it is crucial you contact a specialist team of cyber crime lawyers to handle your case. Our team has specialist knowledge and experience in dealing with cyber crime cases and can navigate the complex rules and regulations in this area. We have many years of experience in advising our clients who have been involved in cyber crime investigations, and can offer expert representation at all stages should you require it.

Download our Data, Protection, Privacy & Cyber Security Compliance Brochure
We can help organisations, both controllers and processors, in a number of ways to suit business needs, from template documents to tailored advice and assistance:

Auditing and data mapping

To work towards compliance you need to know where you stand currently. We can assist you by performing a data protection audit to identify any compliance gaps in your processes and recommending compliance solutions using a ‘traffic light’ coded action plan. As part of this process we help clients to ‘map-out’ their data flows, which forms the basis of an organisation’s record of processing activities (which means from the process we undertake you are already on your way to working towards compliance requirements).

Training and workshops

Online training

We can provide online training for employees and managers on a subscription basis which is a really useful tool for reaching large audiences quickly at a time and place that is convenient to them.

Face-to-face training

We can also provide interactive face-to-face training (on-site or off-site) to allow staff to ask questions and to work through practical examples. This training can be a general overview of data protection or we can provide specific tailored workshops for your market sector and on key issues such as, for example, responding to SARs, dealing with personal data breaches, drafting GDPR compliant contracts, fundraising and direct marketing, etc.

Template and tailored documents

We have a number of template guidance tools, policies and procedures, and contracts that we can offer and tailor to your organisation’s functions, including:
- Legal Basis Flowcharts
- Privacy Notice Checklist
- Direct Marketing / Fundraising Flowcharts
- DPO Advice Note and Questionnaire
- Template DPIA
- Data Protection Policy and Privacy Standard
- Procedure for Data Subjects Rights
- Personal Data Breach Policy and Procedure
- Guidance Tool – Determining Roles of Parties
- Data Processor GDPR Checklist
- Contracts
- Consent
Tailored advice and assistance

As well as assisting with your documents, we can also provide advice and assistance on all matters related to data protection and privacy, and we have assisted a number of clients in various sectors with tailored advice on many practical areas, including, SARs; personal data breaches; direct marketing; monitoring and tracking employees; internal transfers; data sharing arrangements and international transfers.

International transfers

We provide advice and assistance on all matters relating to international transfers; whether this is within a group structure or simply as part of an on-going business relationship. We can assist you to ensure that your international transfers are carried out in a lawful way whether that be providing advice on Standard Contractual Clauses; or how to join the EU-US Privacy Shield or where your business needs guidance on particular jurisdictions, we can assist you in getting that guidance through our worldwide network of data protection experts.
Please contact a member of our team for more information or to find out how we can help you make sure you are GDPR compliant and protected against cyber crime.
- Valerie Surgenor Partner
  
  Val specialises in data protection and compliance matters; cybersecurity & technology; intellectual property and commercial contracts, working with both the private sector and the third sector.
  0141 303 1241 valerie.surgenor@macroberts.com More Info
- David Gourlay Partner
  
  Recognised in Chambers UK as a 'highly regarded IT lawyer', David advises on intellectual property, information technology and all types of commercial contracts.
  0131 248 2211 david.gourlay@macroberts.com More Info
- Eleanor Mannion Senior Associate
  
  An accredited specialist in employment law, Eleanor is dual qualified in Scots and English law and has experience in both private and in-house local government practice.
  0141 303 1109 eleanor.mannion@macroberts.com More Info
- Susan Murray Associate
  
  Susan advises on a wide range of commercial matters and compliance issues, including data protection, intellectual property, commercial contracts and competition law.
  0141 303 1127 susan.murray@macroberts.com More Info
- Sonja Hart Associate
  
  Sonja advises private and public sector clients on commercial contracts, financial services and intellectual property matters.
  
  0131 248 2112 sonja.hart@macroberts.com More Info
- Jozanne Bainbridge Associate
  
  Jozanne advises on a range of commercial matters and has a natural interest in the ever-expanding technology and cybersecurity spheres.
  0141 303 1194 jozanne.bainbridge@macroberts.com More Info
- Melissa Hall Senior Solicitor
  
  Melissa advises on a wide range of intellectual property, commercial and technology matters, including commercial contracts, compliance and data protection.
  0141 303 1162 melissa.hall@macroberts.com More Info
- Rebecca Henderson Solicitor
  
  Rebecca specialises in commercial contracts, data protection and intellectual property, and is particularly interested in the area of competition law.
  0141 303 1158 rebecca.henderson@macroberts.com More Info
- Jamie Meechan Senior Solicitor
  
  Jamie advises employers and employees in relation to all aspects of employment law and HR issues, including unfair dismissal, performance issues, discrimination and employment contracts.
  0141 303 1203 jamie.meechan@macroberts.com More Info
- GDPR 19/08/2019 Consent under the GDPR: What do employers need to know? The GDPR has been in force for just over a year and we are now starting to see evidence of Data Protection Authorities across the EU issuing fines for non-compliance.
- GDPR 15/08/2019 How much time do you have to respond to a subject access request? Perhaps less than you thought! The ICO has updated its guidance on subject access request (SAR) timescales and organisations now have slightly less time than they did previously to respond.
- GDPR 09/07/2019 ICO's second GDPR fine in as many days highlights importance of due diligence in acquisitions With a second fine in as many days, the ICO proposes to fine travel giant Marriott International Inc £99 million and, in the process, identifies how critical due diligence is when acquiring any business.
- GDPR 08/07/2019 British Airways: Large GDPR fines now a reality in the UK Large GDPR fines have now become a reality in the UK as the ICO gives British Airways a Monday morning wake-up call in the form of a notice of intent to issue a penalty notice following last year’s security breach.
- GDPR 18/06/2019 Data Protection & Cyber Security Newsletter - June 2019 Our latest newsletter looks at recent developments in data protection and cyber security, including the requirement for data protection representatives post-Brexit and updated data protection legislation around the world.
- GDPR 24/05/2019 ICO continues to clamp down on bad direct marketing practices The UK ICO recently fined Bounty (UK) Limited £400,000 for the unlawful sharing of the personal data of more than 14 million people, highlighting the necessity of strict compliance with data protection laws.
- GDPR 10/05/2019 GDPR: What do employers and HR teams need to know? (Part 3) In the third instalment of our series on data protection rules and their effects on employers and HR departments, we look at on lawful processing under data protection legislation and how employers are affected by the new rules.
- GDPR 10/04/2019 Data Protection & Cyber Security Newsletter - April 2019 Our latest newsletter looks at recent developments in the field of data protection and cyber security, with a focus on Brexit, privacy and social media and the California Consumer Privacy Act.
- GDPR 11/04/2019 GDPR: What do employers and HR teams need to know? (Part 2) The GDPR and DPA 2018 afford employees a host of new and enhanced rights, allowing them greater control over their personal data. We look at how to manage employee rights under the data protection rules.
- GDPR 02/04/2019 GDPR: What do employers and HR teams need to know? (Part 1) The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) came into force on 25 May 2018 and represents the biggest change to EU data protection laws in over three decades. Since the coming into force of the GDPR and DPA, there has been a sharp increase in complaints to regulators.
- GDPR 28/02/2019 Data Protection & Cyber Security Newsletter - February 2019 This newsletter looks at the topical issues in data protection and cyber security and notable developments, both in the UK and further afield.
- GDPR 25/02/2019 New guidelines on the territorial scope of the GDPR The GDPR has created new obligations for non-European businesses in certain circumstances. Since the Regulations were first published there has been uncertainty in relation to the full extent of the territorial scope of the GDPR itself.
- GDPR 25/01/2019 CNIL reminds Google of the importance of obtaining a “GDPR” level of consent – with a €50 million fine! This month, the Commission Nationale de l’Information et des Libertés (CNIL), the French data protection authority, issued a fine of €50 million against Google for its failure to obtain valid consent as a legal basis for processing user data.
- GDPR 07/01/2019 EU-US Privacy Shield reviewed! Trump must appoint an Ombudsperson or face action under the GDPR! The European Commission undertook its Second Review of the EU-US Privacy Shield in October 2018 and, in light of the Commission’s publication of its Report in late December, we consider the implications of this report for business. If you share personal data with the US or are considering sharing personal data using the mechanism known as the EU-US Privacy Shield, read on.
- GDPR 02/10/2018 First formal enforcement action under GDPR The ICO has issued has issued its first enforcement action under the GDPR.
- GDPR 16/10/2018 Data Protection, Privacy & Cyber Security Compliance Data protection law changed significantly in May 2018 with the introduction of the GDPR and UK Data Protection Act 2018. The 25 May 2018 deadline has passed – does this mean we can forget about data protection?
- GDPR 15/10/2018 English court decides there is no automatic right to compensation for data breach victims Justice Warby of the Judiciary of England and Wales recently handed down his judgment in the case of Lloyd v Google LLC, which denied permission for claimants to bring a class action against Google for a breach of the Data Protection Act 1998 known as the “Safari workaround.” This decision, although taken under the “old” data protection rules, may also have consequences for any subsequent actions taken under the new data protection legislation – the GDPR and the Data Protection Act 2018.
- GDPR 15/10/2018 The new data protection fee – ICO cracks down on non-payment! The Information Commissioner’s Office (ICO) has recently issued 34 enforcement notices to organisations who have failed to pay the new data protection fee under the GDPR and Data Protection Act 2018 (DPA 2018).
- Brexit 20/09/2018 What would a “no deal Brexit” mean for data protection legislation? As the UK’s withdrawal from the EU gets closer – only 6 months to go – many members of government and the general public (across the UK and EU) are asking themselves what happens to UK legislation/regimes on 30 March 2019 if we have not agreed a “deal” with the EU.
- GDPR 19/11/2018 Go to jail, move directly to jail, and do not collect any personal data Last week, the Information Commissioner’s Office (ICO) – the UK data protection authority – brought proceedings against a motor industry employee who had been accessing personal information from customers without permission. The resulting sentence was six months in prison.
- GDPR 28/11/2018 Marketing industry faces new rules on data The Committee of Advertising Practice (CAP) recently published changes to its CAP Code. These changes were in response to a recent consultation, to ensure the code was aligned with the GDPR and covered data protection issues most relevant to marketing practices.
- GDPR 16/08/2018 ICO investigates the use of data analytics in political campaigns How did you vote in the EU Referendum? Chances are that you may have been targeted by advertisements on social media that were from or related to political campaigns (from either side of the fence).

"They are responsive and efficient, and there is a good depth of knowledge within the firm."

Chambers UK Guide to the Legal Profession
MacRoberts LLP’s ‘excellent’ team is noted for its ‘quick turnaround time’ and ability to ‘deal with complex issues in an efficient manner’.
Legal 500
"They are very good and very supportive - it feels like they are an extension of the business."
Chambers UK Guide to the Legal Profession
"Let me thank you and your team for your time. Clearly, you present well, show mastery of your subject area and think on your feet."
Major US Law Firm
"Their standards have been excellent - they are responsive and know the legal solutions but also the commercial considerations."
Chambers UK Guide to the Legal Profession

Charities & Third Sector

MacRoberts is a leading adviser to charities, the third sector and social enterprise in Scotland and we have a deep understanding of the issues and challenges facing the sector.

Third Sector

Latest updates from @MacRoberts

We're proud to celebrate the #First100Years of #womeninlaw and looking forward to a fascinating Friday afternoon at… https://t.co/dMxuwohT3J 20/09/2019
Does your organisation provide #Social, #Care or #HealthServices for the public sector? You may soon have to consid… https://t.co/4bs0XP2M6Z 19/09/2019
We're excited to be at @dundeeuni today to meet with #lawstudents looking to start a #career in #law! We'd be delig… https://t.co/WA7hXuDv8g 19/09/2019
RT @DundeeAndAngus: Delighted to kick off today’s #daccevents with our president Ian Collins, thanks to our table sponsors for their suppor… 18/09/2019
RT @L_Wils24: “In business, people talk about doing simple things well; in a people business if you’re not visible and speaking to people t… 18/09/2019
RT @rupamooker: Great article about @MacRoberts in the Herald today from our Managing Partner, Neil Kennedy. #glasgow #edinburgh #dundee… 18/09/2019
Have you signed up for our autumn #employment #law seminars? Join us in #Glasgow #Edinburgh & #Dundee for an update… https://t.co/ETuud5CJuf 18/09/2019
"In business, people talk about doing simple things well; in a people business if you're not visible and speaking t… https://t.co/CIKNrcybQe 18/09/2019
Are you up-to-date with the latest developments in #charitylaw? Join us in #Edinburgh next Wednesday morning for a… https://t.co/4mCR6mk1Ch 17/09/2019
Are you considering a #career in #law? We're excited to be at @aberdeenuni #lawfair today and looking forward to me… https://t.co/9avQugBsvx 17/09/2019
One week to go! Have you signed up for our Interview Under Caution event with @Lockton? Join us in #Edinburgh for a… https://t.co/Zyqm47GiGv 17/09/2019
ICYMI: Read the latest from Neil Kelly on the latest decision from the Scottish Appeals Court in relation to a Scot… https://t.co/N66U7FlB5g 16/09/2019
While #Brexit continues to cause uncertainty for businesses, @marikaflawyer looks at the impact a #nodeal Brexit wo… https://t.co/oRmKlQ6vZu 16/09/2019
Good luck to our team taking part in @thekiltwalk in #Edinburgh today, supporting our fantastic #charity partner… https://t.co/yijXN9Gq88 15/09/2019
Good luck to our team who is taking part in @thekiltwalk in #Edinburgh in support of @ENABLEScotland this weekend!… https://t.co/ah8MnXQpEz 13/09/2019

GDPR & Cyber Security

What does the EU General Data Protection Regulation (GDPR) mean for businesses?

New obligations for data processors

Affirmative consent requirements for processing

Privacy by design obligations

Potential fines for security breaches

Enhanced rights of data subjects

Appointment of Data Protection officers

International reach

Does your business comply with the EU General Data Protection Regulation?

The 12 Steps Checklist

Step 1 - Awareness

Step 2 – Information you hold

Step 3 – Communicating privacy information

Step 4 – Individuals’ rights

Step 5 – Subject access requests

Step 6 – Legal basis for processing personal data

Step 7 – Consent

Step 8 – Children action to be taken

Step 9 – Data breaches

Step 10 - Data protection by design and data protection impact assessments

Step 11 – Data protection officers

Step 12 – International

Cyber crime Legal Advice & Criminal Defence Scotland

Auditing and data mapping

Training and workshops

Online training

Face-to-face training

Template and tailored documents

Tailored advice and assistance

International transfers

Charities & Third Sector

Latest updates from @MacRoberts