Is your business ready for GDPR?
On the 25th May 2018 the General Data Protection Regulations (GDPR) will become law.
The GDPR will replace the Data Protection Act 1998. If your business holds any personal information relating to individuals then you will need to ensure that you have procedures in place to ensure that this information cannot be misused, is accurate and cannot be obtained by unauthorised access.
Just some recent examples of companies breaching Data Protection rules are UBER, M&S, Sports Direct, The RSPCA, The British Heart Foundation and Plymouth Hospitals NHS Trust. It is a big issue which GDPR looks to address and includes significant penalties for those that do not comply.
Why should I be concerned about GDPR?
If you keep HR records, customer lists, contact details and other personal information including sensitive data (now renamed special classes of data) you will be caught by the new regulations. This is of course almost every business!
There also appears to be trend that businesses are not registered with the Information Commissioner despite processing data.
Worryingly research by LogRhythm, Gigamon and Forescout Technologies indicated that 44% of companies have suffered a data breach in the past, with 68% losing sensitive data. However a huge 52% of businesses still have not taken any steps to make sure that they will be ready for GDPR.
The purpose of the new regulations is to ensure that all businesses take steps to reinforce their processes and procedures, ensuring that data storage and the management and processing of that data, is secure. Data can only be processed for a particular purpose before being deleted so as to protect that information.
Complying with the regulations is mandatory. Failure to comply with GDPR will mean increased legal liability for any breaches of data protection. For serious breaches of special classes of data this could mean financial penalties of up to 20 million euros or 4% of annual turnover (whichever is greater). For other breaches the financial penalty is up to 10 million euros or 2% of annual turnover (whichever is greater). In addition, you may also be at risk of claims for compensation for any data breaches from the individuals concerned or other corrective action orders from the Information Commissioner.
What is meant by data?
Although the definition of data has been broadened, essentially this means any information which can be used to identify an individual (whether genetic, mental, economic, cultural or social). An IP address for example will now be considered as data due to the advances in, and social use of, technology. The regulations will also cover manual as well as automated systems.
The GDPR has also extended the definition of special classes of data. This now includes genetic data and biometric data. For example, schools using finger print technology for payment of school meals will be caught.
It should be noted that special classes of data is afforded even greater protection under the GDPR and has the requirement for explicit consent, unless other lawful grounds for processing exist.
The GDPR essentially strengthens some of the current rights that data subjects have under the Data Protection Act, but it also creates new rights.
An overview of the GDPR rights are as follows:
- The right to be informed
- The right of access
- The right of rectification
- The right of erasure (i.e. the right to be forgotten)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
You will no longer be able to charge for providing the data, unless the request is unreasonable or involves a large amount of data. The timescale for providing the information has also been dramatically reduced.
A significant impact of the GDPR is the new accountability requirements. Your business will have to demonstrate how it complies with the principles of the GDPR, for example, creating and maintaining data risk registers so that compliance can be demonstrated in a transparent and auditable manner, putting in place policies and procedures detailing use of data such as Fair Processing Notices and Privacy Notices.
Your business will have to ensure that all personal data is:-
(a) Processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
What do I do if there is a GDPR data breach?
There will now be a duty on you to report data breaches to the supervising authority, the Information Commissioners Office (ICO), where it is likely to result in a risk to the rights and freedoms of individuals and in some circumstances to the individual concerned. You will need to assess this on a case by case basis.
If a breach is not caught by the above position but is left unaddressed, it may have a significant detrimental effect on individuals. Examples would be: discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. If this is the case you are required by law to report the breach.
If you have a notifiable breach, then it must be reported to ICO within 72 hours. It will often be impossible for you to investigate a breach fully within this time-period but the GDPR makes provision for you to provide information in phases.
In light of the tight timescales for reporting a breach, it is imperative that you have a robust breach detection, investigation and internal auditing and reporting procedures in place by May 2018.
What steps should I be taking to prepare for GDPR?
- Conduct an Audit: All businesses will need to undertake an audit of what data it collects and decide whether that information is caught by the personal data requirements of the GDPR
- Establish the legal basis upon which you hold the data: For processing to be lawful under the GDPR, you need to identify the legal basis upon which you are holding the information. The lawfulness of processing conditions include:
- 6(1)(a) – Consent of the data subject
- 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- 6(1)(c) – Processing is necessary for compliance with a legal obligation
- 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
- 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
- Review your consent procedures: You will need to review how you obtain consent and, once obtained, whether you need to review the basis upon which it is renewed to allow you to continue to hold and process that data. Under the GDPR, your legal basis for processing the data has an effect on individuals’ rights. Therefore, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted. Therefore, if you can, you should process data based on any of the other legitimate reasons, such as contractual or requirement of law.
- Appoint a data protection officer: You may need to appoint a data protection officer (DPO) for your business who will ensure compliance with GDPR. They must have the authority to report to the senior post holders in the business without fear of any recourse against them. They will be the point of contact with the supervisory authority and staff. It is an extensive role and must be fully understood and appreciated
- Staff training: You should make sure that your all of your staff understand what constitutes a data breach, and that this is more than simply a loss of personal data. Staff should be aware of who the nominated DPO will be and be clear on internal breach reporting procedures
As these are significant changes you will need time to undertake an audit of your business and put in place suitable compliance measures so that you are ready for 25 May 2018.
This can seem a daunting task and legal guidance can help you to determine what measures you need and how to implement them.
GA Solicitors can provide a FREE data audit template, as well as a guidance document to get you on the right path. I am an accredited GDPR practitioner so have a thorough understanding of what is required at each step.
You can find out more about our GDPR legal offering by visiting the page on our website.
If you need to discuss your GDPR requirements in more detail, or would like a copy of our free audit template and guidance, then please contact me by calling 01752 203500 or by emailing donna.butler@GAsolicitors.com.
Donna Butler, solicitor