In the run-up to the implementation of the GDPR on 25 May 2018, we have been sharing soundbites about what this will mean for your business. Here’s a round-up of those hints and tips, which have been written by Associate Solicitor, Thomas Newlyn.
Did you know?
Soundbite 1 – Fines:
Under the GDPR, businesses in breach of the GDPR can be fined up to a maximum of 4% of annual global turnover of the previous financial year or €20 million - whichever is the greater!
That is a massive increase on the current maximum fine of £500,000, which the Information Commissioner’s Office (ICO) can currently levy. The approach to fines is tiered and a business can be fined 2% of annual global turnover or €10 million should it not have its business records in order, not notify the supervising authority and data subject about a breach and/or not conduct an impact assessment.
Soundbite 2 – Consent:
Under the GDPR, conditions for individuals, giving their consent for the use of their personal data, have been strengthened. Businesses will need to request individuals’ consent in a clear, intelligible and easily accessible form which is separate to its terms and conditions.
In addition, the purpose for obtaining and processing the data must be clearly set out to the individual. The consent must be specific and distinguishable from other matters requiring the individual’s consent – blanket consent is not enough. Finally, individuals will be allowed to withdraw their consent at any stage and businesses should facilitate that process by making it clear how this can be achieved.
Soundbite 3 – Personal data breaches:
Under the GDPR, it will become mandatory to report a personal data breach to the ICO if it is likely to result in a risk to an individual’s rights and freedoms. The threshold to determine whether an incident needs to be reported depends on the level of risk it poses to the individual involved.
As a business, the best approach is to examine the types of incidents you could be faced with and to develop a sense of what may qualify as a serious incident, when considering your customers and the data you hold. The ICO’s guidance confirms that high risk situations are likely to include people suffering significant detrimental effect including discrimination, damage to reputation and/or financial loss.
Under the GPDR, there is a requirement to report a personal data breach without undue delay and, where possible, no later than 72 hours after being made aware of it.
Soundbite 4 - DPIAs:
Under the GDPR, the use of Data Protection Impact Assessments (DPIAs) will become a legal requirement when the processing of data is likely to be a risk to the rights and freedoms of natural persons. The likelihood of the risk will be assessed by judgement of the likelihood and severity of the harm.
A DPIA is a documenting process which allows a business to describe and analyse the intended processing of personal information. This therefore helps a business to identify and minimise data protection risks at an early stage. The Information Commissioner’s Office is currently drafting guidance on DPIAs - it has commented that an effective DPIA could have real long-term benefits in ensuring a business’ compliance with new data protection laws (by positively demonstrating its compliance with data protection obligations), helping to build external trust and avoid the reputational and financial damage caused by enforcement action following a breach.
Soundbite 5 – Higher fines:
Under current data protection law, Royal Mail Group Ltd (Royal Mail) was fined £12,000 earlier this month by the ICO for sending over 300,000 ‘nuisance’ emails. On two separate occasions in July 2017, Royal Mail had sent emails to a total of 327,014 individuals outlining a price drop for parcels. The individuals in question had opted out of receiving direct marketing emails from Royal Mail and it therefore did not have the individuals’ consent to send the emails (see Soundbite 2).
Following a complaint from one of the aforementioned individuals, the ICO launched an investigation and determined that ‘Royal Mail did not follow the law… because the recipients had already expressed they did not want to receive (the emails)’. Under the GDPR, conditions surrounding individuals’ consent are strengthened and it is arguable that Royal Mail could have received a significantly higher fine. (see Soundbite 1).
Soundbite 6 - SARs:
Under the GDPR, the terms surrounding subject access requests (SARs) are changing. A SAR is a right, regularly used by individuals who want to see a copy of the information a business holds about them. Under current data protection law, an individual is able to make a written request for their data for a fee of up to £10.
The individual is entitled to know whether any personal data is being processed and to be given a description of the personal data held. They are also entitled to know the reasons for processing that data, who will have access to the data and to be given a copy of the data held and details of its source. Businesses currently have a duty to respond to and comply with an individual’s SAR without delay and within 40 calendar days of receiving it.
The GDPR explains that the purpose for allowing individuals to make a SAR is to enable them to be aware of and verify the lawfulness of the processing of their personal data. In addition, under the GDPR, an individual will generally no longer be required to pay a fee when submitting a SAR, and a business will have a duty to respond to and comply with an individual’s SAR without delay and within a month of receiving it.
If you’re concerned about how the GDPR will impact on your business or would like your contracts reviewed to include reference to the GDPR, call our Corporate and Commercial team on tel: 01892 515022.