Sean Stuttaford, Thompson Smith and Puxon’s Chief Operating Officer and Data Protection Officer, discusses the General Data Protection Regulation (GDPR).
As I write this article there are many reports of metaphorical “sticks and stones breaking bones” in discussions between the European Union and the UK.
If today’s “Brexit” newsfeeds are to be summed up in three words, “lack of progress” seem to be the most felicitous.
There is uncertainty relating to time scales, vague discussions of “deal or no deal” – which in passing sounds more like an advertisement for a quiz show – and much rhetoric from both sides.
With all of this going on in the background, it is no wonder that even businesses, charities and sports clubs that are aware of the new regulations are less than convinced that the EU’s GDPR is worthy of more than a cursory glance.
However, the UK’s Information Commissioners Office (ICO) has made it clear that the GDPR will be coming into force in May 2018 regardless of the status of “Brexit”. So the answer to the title of this article is, in short, “No, it won’t!”
For GDPR Newbies
So… for the reported 1/3 of businesses that are yet to start preparations, what is going on in a nut shell?
Well, to begin with, the basic principles of the GDPR are not dissimilar to those of the Data Protection Act (1998). What looks to have changed is the level of control EU citizens will have over their personal data in relation to how it is processed. Changes include:
- Tighter rules relating to consent will mean that permission to store or process data must be specific, informed and unambiguous
- Individuals will have a new right to be forgotten where there is no legitimate reason for an organisation to retain their information
- Businesses will be held much more accountable for not complying with the principles
- There will be an expanded geographical reach; businesses outside the EU that anticipate providing services to EU citizens will be included
- Mandatory self-reporting of GDPR breaches within 72 hours – but there is an “if” to come here
- Penalties for not complying with the regulations have been increased to a maximum of 20m Euros or 4% of annual worldwide turnover
The ICO has numerous helpful documents on their website that relate to the new regulations, but one of the most useful is the 12 Steps to Prepare.
- AWARENESS – make sure key personnel know about the GDPR and its impact
- INFORMATION – document the information you currently hold
- COMMUNICATION – review privacy notices
- RIGHTS – ensure your procedures cover an individual’s new rights
- ACCESS – update your plans for subject access requests from individuals
- LEGAL – check your legal basis for holding personal data
- CONSENT – review and update how you are seeking consent
- CHILDREN – have a process to gather parent or guardian consent
- BREACHES – have the correct procedures to detect, contain and report
- DESIGN – undertake Privacy Impact Assessments where appropriate
- OFFICERS – consider if a Data Protection Officer is necessary
- INTERNATIONAL – consider which authority your business comes under
What’s the truth?
There is a lot of information available on the internet, not least in articles like this one. Some of it seems slightly conflicting and some of it is just plain scary. It seemed worthwhile addressing some of the common misconceptions for our readers.
A lot is being made of the new maximum fines, but in reality fines are likely to be proportionate to the breach. Consideration should be given to whether or not this is really the main risk to your business or, would the risk of being in the local or national media following a breach of the new rules damage you more? It should be remembered that reputational damage is very hard to rectify.
When it comes to what to do if you do suffer a data breach, it is true that it will be mandatory to report a breach within 72 hours… BUT… this is if it is likely that the individual’s rights and freedoms are placed at risk by the breach. This means that not every breach will need to be reported but businesses will require new processes to determine the threshold to report.
Taken at face value, it would seem that the GDPR is a huge revolution in the responsibilities of a business, and will be an onerous and unwieldly set of policies and procedures with an ability to bring a business to its knees. In reality the rules are an evolution of the current data protection laws and if you are complying well now, you will be well on your way to being compliant in May 2018.
That is not a green light for a business to sit back and be complacent however. All organisations should review the 12 steps above but make sure that they keep in mind that the robustness of the process should be proportionate to the risk relating to the data being processed. Charities, sports clubs and marketing departments need to give further detailed thought to consent and the right to be forgotten – particularly if they handle sensitive information or data relating to minors.
The Futurist View
No matter who it may be attempting it, predicting the future is fraught with difficulties. For example, in 1932 Albert Einstein said “There is not the slightest indication that nuclear energy would ever be obtainable”.
That said, let’s have a go at predicting potential fallout from the GDPR.
Firstly, the GDPR will come into force on May 25th 2018. It is also likely that there will be stories in the media of a large corporation (or two) breaching the new rules and suffering the penalties of large fines and reputational damage.
For those of us mere mortals in SME organisations, our difficulties are more likely to come from falling foul of the need to have simple processes to handle data access requests and privacy impact assessments, not obtaining consent where required and accidentally sharing unencrypted data.
The biggest risk I can see coming though is from the creation of a new industry. In the same way that PPI claims have resulted in a long running sore for the banking sector, it is conceivable that we will see claims companies contacting the public and offering to chase businesses for compensation for breaching the GDPR on a wave of “No Win, No Fee”. Claims for compensation may include actual losses from fraud, or even claims for emotional stress if data wasn’t protected properly or breached.
No matter what the future holds though, there is no need to be scared of the GDPR. With some good advice, simple processes and the application of core principles your organisation can protect itself.
How can we help?
We are able to help our clients with various stages of the 12 steps outlined above, but have found the most common areas we can assist with are contractual terms, employee related issues and legal basis and consent queries.
Our Business Services team can be contacted on 01206 574431 or by email at firstname.lastname@example.org