For those who think that the Right to Erasure is an entitlement to reminisce with some ‘80s synth-pop (which I agree is no bad thing), it is time to wake up to the General Data Protection Regulation (GDPR), which comes into effect on 25th May 2018 and will affect just about every business in the UK, regardless of Brexit. It is a complete overhaul of our data protection laws and impacts every business that holds or processes the personal data of others – so just about every business, unless, of course, your business doesn’t have employees, suppliers or customers!
The Information Commissioner’s Office (ICO), which is responsible for enforcement of data protection in the UK, has advised businesses that they need to prepare. However, a number of businesses have not put in place adequate safeguards and transitional arrangements and, as a result, they are woefully under-prepared as it is likely a significant restructuring will be required in order to be GDPR-ready.
How Severe Are The Fines?
Once the GDPR is implemented, the ICO will be funded solely by fines. This will include fines for breaches of up to €20m or 4% of total worldwide annual group turnover and, for less serious breaches, the expectation is that the fine would be €10m or 2% of total worldwide annual group turnover - whichever is higher.
The ICO has confirmed that there will be no “soft” launch; businesses are expected to be fully compliant by 25 May 2018.
To be unprepared is to potentially face:
· Prosecution or regulatory enforcement, resulting in substantial penalties (as above).
· Adverse publicity and reputational damage. A loss of customer trust.
· Missed opportunities and wasted resources.
· Sanctions in jurisdictions other than the UK.
· Increased scrutiny from data protection authorities.
· Civil liability or punitive damages for employment-related breaches.
· Criminal liability for directors and senior managers, which could result in imprisonment and substantial personal penalties.
· Critical system delays and failures.
· Orders issued by the ICO that impact businesses. We note that the ICO can use investigative powers to carry out audits and demand information be disclosed and to access a business’ premises.
· Impact on business continuity.
· Becoming embroiled in litigation and its attendant time, effort and expense.
What’s Driving This Change?
The aim behind the implementation of the GDPR is sensible; it is to avoid, amongst other things, identity theft, credit card fraud, and failure to comply with privacy policies which may lead to theft and deception. The abuse of health data, financial data, or child data can have an adverse impact on insurance, credit, jobs or parental control.
A customer has a fundamental right in the UK to have their personal data protected and it may only be processed – meaning obtained, recorded, held, used or disclosed - under certain circumstances. This will obviously have a wide impact on your business.
What Will You Need To Review?
A well-constructed and comprehensive programme of GDPR analysis and implementation for your business can provide a solution to these various competing interests, and represents an effective risk management tool.
In particular, the business will need to carefully review existing procedures for obtaining an individual’s consent to process their personal data. This is more than a tick-box exercise; you must be specific in explaining to the individual - whether they are an employee, contractor, supplier, or other - what personal data you intend to hold, for what specific purpose, and for how long. You must explain how they may demand such data be erased in the future and the individual must make an informed, affirmative decision to allow you to hold and use this information.
Where Should the Action You Take Lead You?
The business must be in a position at all times to respond quickly to any data subject’s request, and this is likely to require substantial modification to the business’ technological infrastructure and organisational processes. The staff handbook may need to be amended in relation to employee monitoring, and a written and comprehensive information security programme will be needed to protect the security, confidentiality and the integrity of any personal data held.
The business should set out action plans for a security breach, disaster recovery, and data restoration. It will also be required to implement privacy impact assessments before carrying out any processing that uses new technologies, and that is likely to result in a risk to data subjects. The business must notify the ICO of all data breaches within 72 hours, and will, therefore, need to look carefully at its data breach response plans and procedures.
The above represents a short synopsis of the requirements of the GDPR and there are many more that are not included, which are equally as important. Preparing for compliance will clearly need considerable planning across the business and you may well want to take some professional advice.
What is the Best Way to Prepare to Become Compliant?
We recommend your business carries out regular training and reviews of its policies. However, you first need to be in a position to understand the threats and the risks, and what specific steps are required to be taken, rather than just a general sense. We recommend that the GDPR is properly understood at Board level, which is going to involve owners and directors doing their own homework on the regulations, and then drafting the necessary documents and procedures for the business to follow. Alternatively, they will need to undertake the same exercise by working closely with trusted advisors.
Beware the emergence of the “GDPR Consultant” who claims to be able to “do your GDPR” for you; some will know what they are doing and others won’t, but either way, when they move on, it will be your responsibility to ensure your business going forward is run in a GDPR compliant way.
How We Can Help You
Our expert solicitors at Giles Wilson, based in Leigh-on-Sea and Rochford, can advise and assist you through the process. Please contact Philip Giles on 01702 477106 or email firstname.lastname@example.org for more information about how to comply with the new GDPR requirements.