What is GDPR?

December 18, 2017 by Philip Giles at Giles Wilson Solicitors

Why is everyone talking about GDPR?

For those who think the Right to Erasure is about an entitlement to reminisce with some ‘80s synth-pop (which I agree is no bad thing), it is time to wake up to the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018 and which affects just about every business in the UK (regardless of Brexit). It is a complete overhaul of our data protection laws and impacts every business which holds or processes the personal data of others – so that is just about every business, unless your business doesn’t have employees, suppliers or customers!

The Information Commissioner’s Office (ICO), which is responsible for enforcement of data protection in the UK, has advised businesses that they need to prepare. But a number of businesses have not put in place adequate safeguards and transitional arrangements, and as a result they are woefully under-prepared. For many businesses, a significant restructuring will be required in order to be GDPR-ready.

How severe are the fines?

Once the GDPR is implemented, the capacity of the ICO to issue fines will be dramatically increased. Currently only able to fine businesses up to £500,000 for serious breaches, this will increase to approximately £17.5m (€20m) or 4% of total worldwide annual group turnover (whichever is higher), and for less serious breaches the expectation is that the fine would be €10m or 2% of total worldwide annual group turnover (whichever is higher).The ICO has confirmed that there will be no “soft” launch; businesses are expected to be fully compliant by 25 May 2018.

To be unprepared is to potentially face:

• Prosecution or regulatory enforcement, resulting in substantial penalties (as above).
• Adverse publicity, and reputational damage. A loss of customer trust.
• Missed opportunities and wasted resources.
• Sanctions in jurisdictions other than the UK.
• Increased scrutiny from data protection authorities.
• Civil liability or punitive damages for employment related breaches.
• Criminal liability for directors and senior managers, which could result in imprisonment and substantial personal penalties.
• Critical system delays and failures.
• Orders issued by the ICO that impact business, and we note that the ICO can use investigative powers to carry out audits and demand information be disclosed, and to access a business’ premises.
• Impact on business continuity.
• Becoming embroiled in litigation and its attendant time, effort and expense.

What’s driving this change?

The aim behind the implementation of the GDPR is sensible; it is to avoid, amongst other things, identity theft, credit card fraud, and failure to comply with privacy policies which may lead to theft and deception. The abuse of health data, financial data, or child data can have an adverse impact on insurance, credit, jobs or parental control.

A customer has a fundamental right in the UK to have their personal data protected and it may only be processed (that is, obtained, recorded, held, used or disclosed) under certain circumstances. This will obviously have a wide impact on your business.

What will you need to review?

A well-constructed and comprehensive programme of GDPR analysis and implementation, for your business, can provide a solution to these various competing interests and represents an effective risk management tool.

In particular, the business will need to carefully review existing procedures for obtaining an individual’s consent to process their personal data. This is more than a tick-box exercise; you must be specific in explaining to the individual (whether they are an employee, contractor, supplier, or other) what personal data you intend to hold, for what specific purpose, and for how long (to include explaining how they may demand such data be erased in the future) – the individual must make an informed affirmative decision to allow you to hold and use such data.

Where should the action you take lead you?

The business must be in a position at all times to respond quickly to any data subject’s request, and this is likely to require substantial modification to the business’ technological infrastructure and organisational processes. The staff handbook may be amended in relation to employee monitoring, and a written and comprehensive information security programme will be needed to protect the security, confidentiality and the integrity of personal data held. It should set out action plans for security breach, disaster recovery, and data restoration. The business will also be required to implement privacy impact assessments before carrying out any processing that uses new technologies, and that is likely to result in a risk to data subjects. The business must notify the ICO of all data breaches within 72 hours, and the business will therefore need to look carefully at its data breach response plans and procedures.

The above represents a short synopsis of the requirements of the GDPR, and there are many more that are not included and which are equally important. Preparing for compliance will clearly need considerable planning across the business and you may well want to take some professional advice.

What’s the best way to prepare to become compliant?

We recommend your business carries out regular training and reviews of its policies. But first it needs to be in a position to understand the threats and the risks, and what steps it needs to take in a specific, rather than a general, sense. We recommend that, at Board level, the GDPR is properly understood, which is going to involve owners and directors doing their own homework on the regulations, and then drafting the necessary documents and procedures for the business to follow, or undertaking the same exercise by working closely with trusted advisors. Beware the emergence of the “GDPR Consultant” who claims to be able to “do your GDPR” for you; some will know what they are doing and others won’t, but either way, when they move on, it will be your responsibility to ensure your business going forward is run in a GDPR compliant way.

At Giles Wilson, we can advise and assist you through the process. Please contact Philip Giles on 01702 477106 or email philip@gileswilson.co.uk for more information.