The GDPR (General Data Protection Regulation) came into force on 25 May this year. If you are a business owner you should have taken the necessary steps to comply. My recent article on Penny Post mentioned some of the key priority areas to consider, but I thought it would be useful to give a bit of a post-GDPR-day update.
The GDPR is a European regulation that became immediately enforceable throughout all EU countries on 25 May. Given that the UK will be leaving the EU, the Government introduced the Data Protection Bill to bring the GDPR into UK law, and on 23 May this year the new Data Protection Act 2018 received Royal Assent.
There will be a few differences between the Act and the GDPR in order to make the rules more relevant to the UK, but the Act will essentially stick to the same six Principles as under the GDPR.
The Six Principles
• Personal data must be processed fairly and lawfully
• The purposes of processing must be specific, explicit and legitimate
• Personal data must be adequate, relevant and not excessive
• Personal data must be accurate and kept up to date
• Personal data must be kept for no longer than is necessary
• Personal data must be processed in a secure manner
The whole purpose of data protection legislation is to give us as individuals (data subjects) more control over our data. Remember, the data that companies hold about us is our data, not theirs – it’s therefore right that we have more control over how it is used, how and for how long it is stored, with whom they share it.
Following 25 May hopefully as an individual you may have noticed a reduction in junk email. Companies must have a lawful basis for contacting you and those that flout the law can now be hit by the Information Commission Officer (ICO) with much larger penalties than under previous legislation. Recently there have been some notable fines imposed by the ICO – here are a few examples. As you can see, nobody is exempt.
• The Independent Enquiry into Child Sexual Abuse – fined £200,000
• Yahoo – fined £250,000
• British Telecom – fined £77,000
• Gloucestershire Police – fined £80,000
• The Crown Prosecution Service – fined £325,000
• The University of Greenwich – fined £120,000
Some of these organisations were fined under the previous legislation but the ICO’s teeth are significantly sharper than under the old DPA. To add even more bite to the regulations, company directors can be held personally accountable.
The GDPR in action
I have been working with several companies on the GDPR (and I still am) and I think it’s true to say that they were all surprised at how much is involved in getting, and remaining, compliant. Some companies are required by law to appoint a Data Protection Officer (DPO): in my capacity as a DPO I’m already finding that data breaches, even if minor, can be quite common.
So far, the most common examples are emails being inadvertently sent to the wrong person. It’s unlikely that such a breach would be reportable, unless the email contained information that “is likely to result in a high risk of adversely affecting individuals’ rights and freedoms”. Nevertheless, I suggest that all breaches should be recorded internally on a breach register. I’m told that 81% of all breaches involve weak, default or stolen passwords.
Another issue that individual data subjects are latching onto is the fact that we are all entitled to get access to our personal data that companies hold. So, as a company you may see an increase in “Data Access Requests”. These requests need to be dealt with swiftly and according to specific rules, so it’s really important that businesses have their processes documented and understood by staff.
Under the GDPR businesses need to have in place compliant contracts with suppliers and business customers, specifying which party is the Data Processor and which is the Data Controller. These contracts must contain certain information as detailed in the legislation, including the subject matter and nature of processing, the duration of the contract, the types and categories of data and the rights and obligations of the Controller. An example might be where a business outsources its payroll – in this case the payroll company would be a Processor. A cloud provider would also be a Processor and if the provider’s data centre is outside the EU there are other important implications to consider.
There are also two wider points at work. Firstly, even if your business has taken no action, it is lagging behind the current trend which is that data protection is increasingly regarded as a serious aspect of good corporate ethics. A company which is casual about these issues is likely increasingly to find itself not only suffering fines (see above) but also losing the confidence of its customers. Secondly, and perhaps more directly, if you are planning to sell your business and if even a part of its value derives from its personal data, non-compliant practices may reduce its value or end the interest of a prospective purchaser.In short, compliance can help ensure both a competitive advantage and sound exit strategy.
For more information
Business owners need to understand that if you process personal data (any data that could identify a specific living individual, such as name, address or email address) then you need to register with the Information Commissioner’s Office and pay a small fee.
The ICO website offers a range of articles, tools and resources than can help. Alternatively, you can contact me if you require further help or advice.