In the run-up to the implementation of the GDPR, we have been sharing soundbites about what this will mean for your business. Now Friday 25 May 2018 has finally arrived, here’s a round-up of those hints and tips, which have been written by Associate Solicitor, Thomas Newlyn.
Did you know?
Soundbite 1 – Fines:
Under the GDPR, businesses in breach of the GDPR can be fined up to a maximum of 4% of annual global turnover of the previous financial year or €20 million - whichever is the greater!
That is a massive increase on the current maximum fine of £500,000, which the Information Commissioner’s Office (ICO) can currently levy. The approach to fines is tiered and a business can be fined 2% of annual global turnover or €10 million should it not have its business records in order, not notify the supervising authority and data subject about a breach and/or not conduct an impact assessment.
Soundbite 2 – Consent:
Under the GDPR, conditions for individuals, giving their consent for the use of their personal data, have been strengthened. Businesses will need to request individuals’ consent in a clear, intelligible and easily accessible form which is separate to its terms and conditions.
In addition, the purpose for obtaining and processing the data must be clearly set out to the individual. The consent must be specific and distinguishable from other matters requiring the individual’s consent – blanket consent is not enough. Finally, individuals will be allowed to withdraw their consent at any stage and businesses should facilitate that process by making it clear how this can be achieved.
Soundbite 3 – Personal data breaches:
Under the GDPR, it will become mandatory to report a personal data breach to the ICO if it is likely to result in a risk to an individual’s rights and freedoms. The threshold to determine whether an incident needs to be reported depends on the level of risk it poses to the individual involved.
As a business, the best approach is to examine the types of incidents you could be faced with and to develop a sense of what may qualify as a serious incident, when considering your customers and the data you hold. The ICO’s guidance confirms that high risk situations are likely to include people suffering significant detrimental effect including discrimination, damage to reputation and/or financial loss.
Under the GPDR, there is a requirement to report a personal data breach without undue delay and, where possible, no later than 72 hours after being made aware of it.
Soundbite 4 - DPIAs:
Under the GDPR, the use of Data Protection Impact Assessments (DPIAs) will become a legal requirement when the processing of data is likely to be a risk to the rights and freedoms of natural persons. The likelihood of the risk will be assessed by judgement of the likelihood and severity of the harm.
A DPIA is a documenting process which allows a business to describe and analyse the intended processing of personal information. This therefore helps a business to identify and minimise data protection risks at an early stage. The Information Commissioner’s Office is currently drafting guidance on DPIAs - it has commented that an effective DPIA could have real long-term benefits in ensuring a business’ compliance with new data protection laws (by positively demonstrating its compliance with data protection obligations), helping to build external trust and avoid the reputational and financial damage caused by enforcement action following a breach.
Soundbite 5 – Higher fines:
Under current data protection law, Royal Mail Group Ltd (Royal Mail) was fined £12,000 earlier this month by the ICO for sending over 300,000 ‘nuisance’ emails. On two separate occasions in July 2017, Royal Mail had sent emails to a total of 327,014 individuals outlining a price drop for parcels. The individuals in question had opted out of receiving direct marketing emails from Royal Mail and it therefore did not have the individuals’ consent to send the emails (see Soundbite 2).
Following a complaint from one of the aforementioned individuals, the ICO launched an investigation and determined that ‘Royal Mail did not follow the law… because the recipients had already expressed they did not want to receive (the emails)’. Under the GDPR, conditions surrounding individuals’ consent are strengthened and it is arguable that Royal Mail could have received a significantly higher fine. (see Soundbite 1).
Soundbite 6 - SARs:
Under the GDPR, the terms surrounding subject access requests (SARs) are changing. A SAR is a right, regularly used by individuals who want to see a copy of the information a business holds about them. Under current data protection law, an individual is able to make a written request for their data for a fee of up to £10.
The individual is entitled to know whether any personal data is being processed and to be given a description of the personal data held. They are also entitled to know the reasons for processing that data, who will have access to the data and to be given a copy of the data held and details of its source. Businesses currently have a duty to respond to and comply with an individual’s SAR without delay and within 40 calendar days of receiving it.
The GDPR explains that the purpose for allowing individuals to make a SAR is to enable them to be aware of and verify the lawfulness of the processing of their personal data. In addition, under the GDPR, an individual will generally no longer be required to pay a fee when submitting a SAR, and a business will have a duty to respond to and comply with an individual’s SAR without delay and within a month of receiving it.
Soundbite 7 – Data Protection Officer:
One of the requirements under the GDPR is for a business to appoint a data protection officer (DPO) when deemed necessary. The DPO is the data protection expert within the business and deals with all internal and external data protection queries. In particular, the DPO’s role is to inform data controllers and processors of their data protection obligations, monitor compliance with the GDPR and train the business’ staff. In addition, the DPO should provide advice where requested regarding DPIAs (see Soundbite 4) and engage with the Information Commissioner’s Office or relevant supervisory authority as appropriate.
Should you appoint a DPO? Advisory bodies suggest that businesses should appoint a DPO unless they can demonstrate there is no requirement to do so. The GDPR sets out three instances where a DPO should be appointed: (1) where the processing of data is carried out by a public authority; (2) where the ‘core activities’ of the business require regular monitoring of data subjects on a ‘large scale’; and (3) when dealing with special categories of data (including ethnic origin, political opinions, religious beliefs and health data). The Senior Technology Officer at the ICO has made it clear that small and medium-sized enterprises should also consider appointing a DPO.
Soundbite 8 – The right to be informed:
Under the GDPR, data subjects have the right to be informed about the collection and the use of their personal data. Businesses are required to provide data subjects with information including the purposes for processing their personal data, the retention periods for the personal data and who the personal data will be shared with. In addition, businesses are to provide contact details of their data protection officer, the lawful basis for processing the data subject’s personal data and the legitimate interests for the processing. These details are to be provided to the data subject when collecting the personal data and are to be transparent, concise, easily accessible, intelligible and should be set out in clear and plain language. The information provided must be reviewed on a regular basis and updated when necessary.
Soundbite 9 – The right to rectify:
Under the GDPR, data subjects have the right to have their personal data rectified if it is inaccurate. Businesses in receipt of a request for rectification are required to take reasonable steps to satisfy themselves that the data held is accurate and if it is not, should rectify the data as required.
The ICO’s guidance suggests that the reasonability of the steps is dependent on the nature of the personal data and what it will be used for. In addition, it suggests that the more important it is that the personal data is accurate, the greater the effort should be made to verifying the accuracy of the data. Businesses who deem that a request for rectification is manifestly unfounded or excessive can request a reasonable fee to deal with it or refuse to deal with it – both cases requiring justification of the decision.
Soundbite 10 – The right to be forgotten:
The GDPR has introduced a new right for individuals known as the right to erasure (also known as the ‘right to be forgotten’). Businesses should be aware that individuals have the right to request that their personal data be erased in certain circumstances.
These include personal data no longer being necessary for the purpose for which it was initially collected or processed for and personal data being processed for marketing purposes when the individual objects to the processing. In addition, businesses relying on consent as the lawful basis for holding personal data must erase an individual’s personal data should the individual withdraw their consent.
Soundbite 11 – Data portability:
Under the GDPR, data subjects have the right to data portability. This means that data subjects have the right to receive personal data they have provided to a data controller in a ‘structured, commonly-used and machine readable format’.
In addition, data subjects have the right to request the transfer of their personal data from one data controller to another. Businesses need to prepare to comply with this right, ensuring that any personal data held for data subjects is maintained in such a format.
The GDPR offers guidance on when the right to data portability would apply, confirming it is when the lawful basis for processing the information is consent or the performance of a contract and that the processing is by automated means (this excludes paper files).
If you’re concerned about how the GDPR will impact on your business or would like your contracts reviewed to include reference to the GDPR, call our Corporate and Commercial team on tel: 01892 515022.