GDPR launches 25 May 2018
If you think that data protection is something that doesn’t really apply to your business or, if your philosophy is ‘of course we comply with the regulations, it’s only big companies that have problems with data protection’ then the time has come to think again!
The General Data Protection Regulations (GDPR) come into force in the UK on 25 May 2018 and before then every business must consider how the regulations will impact on them.
The regulations place a greater level of accountability on businesses in protecting the privacy of individuals and give greater regulatory powers to the Information Commissioner’s Office (ICO) who, for the most serious violations of the law, will be able to issue fines of up to €20 million Euros or 4% turnover, whichever is the greater. This compares with maximum fines under the existing Data Protection Act 1998 (DPA) of £500,000.
Protecting the individual
Like the DPA the GDPR applies to ‘personal data’, however the definition of what is personal data has been expanded to fit the modern world. This means that personal data can be anything which can be used to identify a person, including items such as the IP address on a computer.
For the processing of data to be lawful under the new regulations there must be a lawful basis identified before the data can be processed. The most common form of lawful basis will be that consent has been given to process the data by the ‘data subject’. However where the lawful basis is consent the ‘data subject’ will now have greater rights over access, deletion and the restriction of processing.
Consent will have to be freely given, specific and verifiable, and will require some form of positive action rather than businesses relying upon a pre-ticked box as is often the case with online forms today.
This creates a new issue for employers who will have to ensure that employees’ data is given with free consent before it can be processed, a concept made more challenging where there is naturally an imbalance of power between the parties.
The GDPR brings in a completely new accountability requirement. Businesses will need to be able to demonstrate that they are committed to data protection, which will mean having appropriate policies and procedures in place, and following them. Part of this will require senior members of the business to consider where risks of data protection breaches exist, creating a priority list for these risks to be managed and then taking steps to eliminate the risks. Procedures will need to cover both electronic and hard copy data and policies should be designed to protect the privacy of individuals in areas such as collecting, storing, sharing, reviewing and processing data.
The new requirement to document considerations surrounding data protection places the onus on the business to show that they have complied with the law. What does this mean in practice? Well, the ICO no longer has the burden of proof – imagine how many convictions would take place if the general principle was guilty until proven innocent!
Finally, the GDPR introduces a duty on all businesses to notify the relevant supervisory authority of any breach which is likely to result in a risk to the rights and freedoms of individuals. In cases where the breach is likely to result in a high risk to the rights and freedoms of individuals, the individuals concerned also have to be notified themselves directly. There are large fines for failing to notify of a reportable breach.
Small businesses need to take note
And if you think the GDPR will concentrate only on larger businesses then think again. The Information Commissioner, Elizabeth Denham, has made it clear that all businesses must take responsibility for protecting the privacy of individuals. The ICO made an example of a small business recently by fining them £60,000 after their website was hacked. Sally Anne Poole, ICO Enforcement Manager, was quoted as saying ‘Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher’.
Could there have been a clearer warning to SME’s than that?
The GDPR will transform data protection from being a ‘box ticking exercise’ and force businesses to change their attitudes, or face the consequences financially and, potentially more damaging, to their reputation.
At McCabe Ford Williams we are already committed to protecting the privacy of our clients, staff and suppliers but we will be performing our own internal review based on the GDPR to ensure we provide the data protection environment our stakeholders expect. We urge you to do the same.
As part of preparing for GDPR you should be looking at your Cyber security. Read more in our Cyber Security blog.