Businesses already shoulder a heavy regulatory burden, and from May it’s going to get heavier when the EU introduces new data regulations known as GDPR.
The potential fines for rule breakers are sizeable – as much as 4% of turnover – and investigations into transgressors are likely. So, if your business hasn’t started its planning for GDPR yet, you need to get moving. Ed Bowsher reports.
What is GDPR?
GDPR stands for General Data Protection Regulation and is a new EU-wide set of rules on data. It replaces the Data Protection Act in the UK and will be implemented on 25 May, 2018.
The Data Protection Act was enacted in 1998 and was designed for a world without Facebook or cloud computing. Given the huge changes over the past two decades, an update to data protection law was inevitable, and the changes arising from GDPR are substantial.
The law applies to businesses and any other organisations that keep data on their customers, employees or other stakeholders.
A summary of seven of the biggest changes:
- Requirement to report data breaches within 72 hours
It is essential that an organisation monitors for data breaches, such as someone hacking into a database. Any breach must be reported within 72 hours and the report must go to the ICO (Information Commissioner’s Office) and to anyone whose data has been breached.
The rules on customer consent have been considerably tightened. Before an individual gives consent for data to be kept, companies must explain what data they’re keeping and how it’s used. The consent must be in plain language, and the customer, or ‘data subject’ must tick a box giving a consent.
It’s not acceptable to say there’s consent unless the subject unticks a box that gives consent. Even if the names of people have been removed from data, GDPR may still apply depending on how easy it is to identify whose data it is.
- Processor liability
The law separates organisations into ‘data controllers’ (the organisation that determines how data is handled) and ‘data processors’ (organisations who handle data on behalf of controllers.)
Often, data processors will be handling data in the cloud. Currently, only data controllers take the hit if things go wrong, but under GDPR both controllers and processors are potentially liable. Checking that the data processor is complying with all the regulations is a big burden for the data controller.
- Right to be forgotten
An individual can ask for all his personal data to be erased. This includes files, records in the database, emails and archived copies. If data has been sent to another organisation, the data controller must ask that other organisation erase it.
Individuals can also ask to see their data at ‘reasonable intervals’ and they should get the data within a month. They have the right to know why the data is being used, how long it’s stored for and who gets to see it.
There are, however, several exceptions where the organisation can keep the data. These include for public health purposes or the defence of a legal action.
- Data protection officer
Many organisations will have to appoint a data protection officer (DPO) to ensure compliance with GDPR. As well as understanding the relevant law, the DPO should be proficient at managing IT processes and data security, including cyber-attacks.
- Data minimisation principle
This requires organisations not to hold data for any longer than necessary and not to change the use of the data.
- Right of ‘data subjects’ to bring actions either as a complaint to the ICO or as a court action
Alan Calder, executive chair, IT Governance Limited, says these rights present ‘opportunities for, in effect, class actions to emerge.’
Another major change is a big increase in possible penalties. If an organisation fails to report a breach in its data protection within 72 hours, the ceiling for a potential penalty is €10m or 2% of global turnover – whichever is larger.
If there’s an absence of accountability at an organisation – in other words, the organisation has done very little to set up a data protection system – the penalty could be as high as €20m or 4% of global turnover. The current maximum fine in the UK is £500,000.
However, Jon Baines, Chair of NADPO, the National Association of Data Protection and FOI Officers, says he’s ‘highly doubtful we will see anything like this scale of fines, certainly in the near future’, even if the increase ‘has focused the minds of many in the boardroom.’
What should businesses be doing?
Baines says that all companies should look at the information on the ICO’s website, especially an article called ‘12 steps to take now.’
Baines says, ‘If companies can follow these 12 steps, or at least show that, come 25 May, they are making strides towards doing so, they will be able to show the ICO (and the courts, in the event of any litigation) that they are aware of and responding to the main issues.’ Baines also recommends the ‘Mythbuster’ blogs on the ICO website.
It’s also important to note that if your business is compliant with the current Data Protection Act, you’re in a great starting position.
If you are compliant with existing law, Calder says you should now be focusing on your status as a ‘controller’ and your contractual relationships with any ‘processors’ you use. You also need to clarify what data you’re holding and whether you’ve got a legal basis to hold that data.
However, Calder thinks that most UK businesses probably aren’t compliant with the Data Protection Act and ‘they have a real problem.’ There won’t be a data protection culture and the board probably won’t be on top of what needs to be done.
For any firm in this position, the first step must be to get the issue on the board agenda, and the board must then ‘empower somebody to lead a compliance project’, which will include ‘a quick gap analysis focusing on personal data protection.’
Firms should also look at the way they collect data and their ability to tell data subjects what data they have when the subjects ask for it.
Calder thinks firms should start with these areas because they are the areas that are most likely to get you into trouble with the regulator fastest.
Following that initial work, there’s a range of different issues that firms need to get on top of.
These include making sure that there are robust data reporting process, and asking whether data is still held that should have been disposed of years ago.
Calder says ‘most companies are holding data going back way too many years.’
When the UK leaves the EU, GDPR will remain British law unless and until UK legislators decide otherwise. But even if GDPR was repealed in the UK, it would still affect many UK businesses.
That’s because GDPR will still apply to any business outside the EU that was targeting customers in the EU or was monitoring data subjects in the EU.
In reality, it’s likely that UK legislators will leave GDPR alone, because having one set of rules in Europe will make life simpler for businesses.
Either way, it’s comforting that regulators may not start imposing maximum fines from day one, but nonetheless, businesses need to get on top of these changes quickly.