Data Protection is not a new issue and has been subject to legislation for decades. The GDPR introduces new legal rights for individuals in relation to the information companies hold about them and how they use it and alongside those greater obligations on companies to keep an individual’s information secure and ensure it is processed properly.
Any businesses or organisation that holds "Personal Information" about people (whether it be clients; customers, or staff) will be caught by the new regulations. "Personal Information" is information which identifies someone i.e. their name and address, and therefore caught by GDPR. The GDPR also introduces new definitions for "Sensitive Personal Data", which could include biometric data, medical records, details of someone's sexual orientation or religious beliefs.
For a long time, individuals have been able to make a Subject Access Request pursuant to the Data Protection Act 1998 ('the 1998 Act') to find out what information is held about them by a business or organisation. The right to access the information will still exist under the GDPR but generally individuals cannot be charged a fee for being provided with the information (as they can under the 1998 Act) and the information requested must be provided to the individual without delay, and at the latest within 1 month of it being requested (significantly more quickly than the current 40 day deadline).
So, what has changed?
The GDPR imposes an obligation on businesses and organisations to inform people about what happens with their Personal Information including how and why it is being processed. This will generally be done by providing individuals with a Privacy Notice, however, it is unlikely that a single form of Privacy Notice will be suitable for all types of Personal Data. For example, the Personal Information held about staff will be held for different purposes and processed differently to information an organisation may hold about individual customers, and therefore 2 different Privacy Notices may be required.
The GDPR also provides for individuals to have a right to be forgotten and imposes an obligation on businesses not to store or keep information for any longer than is necessary. How long businesses need to keep their records for will depend on the type of business and information that they hold. It has been widely reported in the news recently about the problems experienced by the "Windrush" generation who came to the UK between 1948 and 1971 and the problems caused by the fact that official documentation which evidenced their arrival in the UK were destroyed by the Home Office in 2010 meaning that they are now unable to provide evidence of their right to stay in the UK.
As a result of some of have found it difficult to provide evidence of their entitlement to work or to receive treatment from the NHS and some have been threatened with deportation. The long-term effect of whether it is a good idea for data to be destroyed simply because it is deemed no longer to be required at that time will no doubt arise in the future. However, in view of the availability of electronic document storage, documents are probably have been held for far longer than historically would have been the case. In any event, organisations need to have clear policies about what data they are storing, the purpose of storing it and how long it will be kept.
How to become compliant
In order to be compliant with GDPR organisations need to ensure that they have proper policies and procedures in place which outline and govern how they process people’s Personal Information.
If an organisation is transferring or passing data to any third party then that needs to be explicitly explained to the individuals. The organisation also needs to ensure that those third parties are also GDPR compliant. Additional requirements may be necessary if the data is being transferred out of the EU. On that note, it is important to remember that the GDPR will continue to remain in force post-Brexit.
If a business or organisation finds itself in breach of GDPR then it needs to report the breach to the Information Commissioner’s Office ('ICO') within 72 hours of the breach occurring. Failure to report the breach is in itself a breach of the GDPR. If the ICO considers after an investigation that a breach has occurred then it has the power to impose a fine equal to 4% of the business organisation’s turnover or €20 million (whichever is the greater).
Currently, it is impossible to predict how the ICO will use its powers but it seems likely that the largest fines will be saved for the most serious breaches. The ICO has been a regulatory body for Data Protection for a number of years and is therefore experienced in investigating and enforcing breaches of Data Protection. During April 2018 the ICO has imposed five monetary fines ranging from £12,000 up to £200,000. These fines have been against various types of organisations including local government, private companies, individuals acting as sole traders and police forces.
This new law affects all sizes of businesses
Any business that thinks that GDPR does not apply to them is likely to find itself in trouble. Every business that employs people will be caught by GDPR as they will be holding Personal Information about their staff. Any business that has individuals as clients or customers will also be caught as they will hold Personal Information about those clients or customers. It is therefore important that all businesses take the time to review their policies and procedures and ensure that they are compliant with the GDPR in time for the commencement date of 25 May 2018.
Further guidance about GDPR and how to prepare for it is available from the ICO including a 12 step checklist.
This article aims to supply general information, but it is not intended to constitute advice. Every effort is made to ensure that the law referred to is correct at the date of publication and to avoid any statement which may mislead. However, no duty of care is assumed to any person and no liability is accepted for any omission or inaccuracy. Always seek our specific advice.