Post GDPR: Should you still be worried?
The 25th May 2018 has been and gone and no-one has knocked on the door about compliance with data protection, so do you really need to be concerned about spending time, resources and money on GDPR?
The short answer is yes.
Between 25th May and 31st October 2018 the ICO has issued 14 financial penalties (ranging from £60,000 to £500,000), issued six enforcement notices, two prosecutions and one undertaking. This makes it clear – all organisations and individuals need to take responsibility for data awareness and compliance.
A recap of the key principles arising under GDPR are:-
- Lawfulness, fairness and transparency in relation to the use of data
- Purpose limitation so that data is only used for a defined purpose
- Data minimisation to ensure that only the minimal amount of data is collected for your organisations requirements
- Accuracy and keeping that data up to date
- Storage limitation
- Integrity and confidentiality
The two key elements for anyone processing data are ensuring and continuing compliance and what do you do if there is a data breach.
The importance of having in place appropriate contracts, policies, staff training and privacy statements cannot be underestimated as the financial and other consequences can be significant, with greater penalties arising in respect of sensitive data.
Compliance with GDPR can seem like a mountainous task but it can be broken down into smaller manageable tasks and, in reality if you were in compliance with the Data Protection Act, then you are probably half way there to demonstrating you are compliant with the GDPR.
If you have not already conducted a data information audit, GA has made available a free data audit questionnaire which can help you identify the next steps for compliance.
If you have not started or completed your compliance with GDPR, there is no need to panic but it is imperative that you have a plan of action in place for demonstrating your timeline for compliance.
Consider the fact that it may not be the ICO randomly checking on your compliance, but it could be the receipt of a Data Subject Access Request which may highlight areas of non-compliance or the reporting of a data breach which could instigate an investigation.
Any organisation or individual processing data should take data breaches very seriously in the new data protection landscape. Every member of the organisation should be data aware and take responsibility for ensuring data protection and data compliance.
So what is a data breach? The ICO defines this as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. Therefore, a data breach does not refer to only losing personal data, it has a much wider scope.
The biggest risk to data is accidental or intentional breaches of data internally, such as wrong addresses on letters and emails. Regular ongoing training will ensure that everyone in the business understands the importance of GDPR and the compliance journey.
Remember, the potential financial consequences for getting it wrong can be quite significant.
A recap of the GDPR penalties:-
- Up to 2% (or up to 10 million euros) of annual turnover for personal data breaches
- Up to 4% (or up to 20 million euros) of annual turnover for sensitive data breaches
- Administrative fines (depending upon any aggravating or mitigating features)
- Corrective orders issued by the ICO
- Employer taking sanctions against employees for (gross) misconduct
- Legal action brought by the ICO or data subject resulting in compensation and/or damages
- Reputational damage
Addressing a data breach
There are very strict timescales in which data breaches need to be reported to the ICO (within 72 hours). If there is a persistent pattern then not only could this increase the likelihood of a compliance audit but lead to enhanced punitive fines and penalties.
Thankfully, the ICO has confirmed that it does not require every data breach to be reported to it. The organisation will of course need to maintain its own breach registers and document its reasons for not reporting any particular breach to the ICO.
Breaches which will have to be reported to the ICO are those which involve “breaches of personal and/or sensitive data which have a high risk of adversely affecting a data subject’s rights and freedoms”. In simpler terms, this means that a data breach is an incident that has affected the confidentiality, integrity or availability of data about an individual.
For example, the mixing up of pay slips which would contain sufficient information for identity to be cloned, or staff clicking on email links which allow third parties to access the organisations computer systems.
In those circumstances the organisation will also need to consider whether it is also appropriate to notify the individuals as well.
In conclusion, your organisation should ensure that it has taken steps to put in place a robust breach procedure detailing methods of detection, investigation and reporting with ongoing staff training. Data awareness and data responsibility by all may help your organisation not only to reduce the number of data breaches it may suffer but also to demonstrate what has been learnt going forward to avoid a repeat.
If you need support to understand or meet the regulations then contact GA Solicitors. We can assist you with GDPR compliance, guidance on reporting and also employee sanctions if required, ensuring all activities are in compliance with the law.