GDPR: Stay Calm
Later this month, 25 May 2018, the General Data Protection Regulation (GDPR) will come into law. This will be backed up by a UK Act that adds to and clarifies some of that European law. All indications are that the law is unlikely to change again after Brexit as the UK will still want to be part of a uniform compliance regime for handling personal data across the EU.
So it looks as though the biggest development in data protection since the 1998 Data Protection Act is here to stay. The Information Commissioner’s Office (ICO) is keen to stress that this is legal evolution not a revolution. However, there are significant impacts on businesses.
Why is GDPR important?
Not only is it the law but there are fines of up to €20m or, if higher, 4% of worldwide turnover for breaches of the Regulations. Under current law there have been over 30 fines levied ranging from £250 to £400,000 and across all sectors from plcs to charities as well as Government organisations. Compliance is about to become harder to achieve and maintain, so we expect greater use of penalties once the changes have bedded in. Data processors will now have additional responsibilities as well as data controllers.
Personal liabilities for Directors, Managers and Company Secretaries
There are some limited areas of personal liability but these are still being finalised as part of the new Act.
Most businesses want to look after their customers’ and prospective customers’ data. Organisations will need to go to greater lengths in order to obtain consent to processing personal data.
Compensation claims by data subjects
A person who has suffered material or non-material damage as a result of an infringement, has a right to receive compensation from the controller or processor for the damage suffered. GDPR establishes the joint and several liabilities to the data subject of all controllers or processors involved in the processing for any damage caused by the processing. There are some defences to this such as if a controller or processor can prove that they have taken appropriate technical and organisational measures to protect the personal data they handle from data security breaches.
Damage to reputation and loss of customers
The digital age has not only provided greater opportunity but it also presents greater risk for the misuse and disclosure of data as well as publicity over any mishandling of data. GDPR requires controllers to notify the ICO within 72 hours of being aware of a breach. The exception to this is if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. On top of that if there is a high risk to those rights and freedoms then you have to notify the person involved (the data subject).
Loss of shareholder value
Most businesses derive significant value from the data that they hold and use. Whether you are selling or buying a business it will be critical to consider if the buyer will be able to use the personal data held by the target business. If the target business cannot demonstrate the basis on which it is allowed to use the data (and does not have the appropriate records and policies to demonstrate GDPR compliance) then this is likely to affect its value.
So where do you start?
This is big topic and cannot possibly be covered in one article. However we recommend starting with the ICO website that has:
- Blogs and guidance such as a “12 steps to take now”
- A self-assessment tool
There is also a third element still to come to watch out for, which is the updating of the E-Privacy Directive. This is to update the precise rules over marketing – opt-in/opt-out tick boxes etc. This will not be ready for 25th May and so we will have a mixture of compliance with GDPR and the old Privacy regime.
During our time helping organisations through GDPR, we have found that, by and large, they already have a decent appreciation of the current law and so they can easily build on that foundation. This involves working up a project plan to tackle the requirements, including data mapping to help audit what personal data is held and how it is used and the creation or updating of agreements for processing, privacy policies and notices both internally for staff and externally for customers and other third parties.
Given the potential effects and risks it is imperative that organisations grapple with, if not embrace, the changes. Failure to do that could lead to a range of significant consequences. Even if fines might be reserved only for those with a gross disregard of the law, there is still the negative effect of loss of reputation and value in this connected world.Back to News