GDPR: don’t ignore your data protection obligations

8 November 2017

New General Data Protection Regulations come into effect on 25 May 2018

If your business holds a database containing personal data this affects you. It is hard to imagine a business that does not hold such data; it doesn’t have to be on a computer, and any simple list of customers or employees is covered by the Data Protection Act, whose provisions are enforced by the Information Commissioner’s Office (ICO).

A recent high profile case brought by the ICO against TalkTalk led to a fine of £100,000. That was under the existing legislation. Had the offence occurred after 25 May next year the fine could have been much higher, up to 4% of global turnover or £20m, whichever is the higher. Smaller businesses have also suffered hefty fines, more often for sending out spam emails or text messages without the recipients’ consent but others have been fined for failing to keep their data secure, thereby allowing hackers to steal personal data.

The theft and misuse of data is rife but has been going on for longer than you might think. The world’s first national data network was set up in France in the late eighteenth century and consisted of a series of hilltop semaphores designed to relay information from Paris to other cities. Its use was reserved for the Government but in 1834 two bankers found that they could include other messages by bribing the semaphore operator in Tours, and contrived to convey bond prices from Paris to Bordeaux by piggy-backing on the Government’s system. They therefore received news of movements in prices several days before other bankers and made huge profits out of the advantage.

Explicit consent will be imperative

Back to the present, the new regulations demand more accountability for the use of personal data and enhance the rights of individuals. They apply to all businesses processing personal data, even if not computerised. Personal data is anything that may identify people, such as name, email address or even CCTV footage. Underlying this is the principle of consent. You cannot use personal data without the consent of the individual, and there is a presumption that the consent expires if not regularly renewed. The guidelines state that if consent has not been given in the last two years use of the data is unsafe. Consent must be given by a positive action by an individual (ie. not just the failure to untick a box). The text of a consent request must be clear and specific and must name any third parties that may have access to the data. It must also give clear instructions on how consent may subsequently be withdrawn. Individuals will have the right to submit a Subject Access Request to an organisation that holds their data and this will need to be dealt with within one month.

There is also a requirement to report data breaches to the Regulator within 72 hours of discovery. It is obvious that this would apply to a hacking incident but it also includes everyday mishaps such as putting a letter addressed to one individual into an envelope addressed to another.

Businesses must have a Privacy Notice and it is recommended that they carry out Privacy Impact Assessments.

A few scare stories and some false information has been circulating. One such story being the size of the fines. It is true that for large businesses a fine of 4% of global turnover might amount to £billions, but the Information Commissioner’s Office has been keen to reassure that fines will remain commensurate with the severity of the offence and only applied in very serious cases. It has also been rumoured that dentists (for example) will no longer be able to send SMS reminders to patients – this of course is perfectly acceptable so long as the patient has given consent. Some organisations have been offering data security compliance reviews with accreditation. Don’t buy these! No official accreditation is available and you can find out all you need to know on the website of the ICO.

On the other side of the coin advice is circulating that this is EU meddling and there is no need to do anything now we that are leaving the EU. Wrong! This is UK legislation that will remain in force after Brexit.

In conclusion you do need to do something and a starting point is to list all the types of personal data that your business holds and where you hold it. You may find that you have a number of databases and lots of paper files that contain such information. The ICO sets out 12 steps that you need to take. Follow this link to find them. Finally if you need help just contact me or your usual UHY partner.