With the new General Data Protection Regulation (“GDPR”) coming into force on 25 May 2018, the media is full of hype regarding how GDPR will drastically change the face of data protection. But how much of the media coverage is based on fact, and how much is fiction?
True or false? The biggest threat to organisations from the GDPR is massive fines.
Despite the big media focus on huge fines, the Information Commissioner’s Office (“the ICO”) has emphasised that “This law is not about fines. It’s about putting the consumer and citizen first.”
Although the ICO will be able to impose much greater fines under the GDPR than under the current regime (a maximum of £17 million or 4% of turnover under the GDPR, rather than £500,000 under the Data Protection Act 1998 (“the DPA”)), the Information Commissioner has emphasised that the ICO won’t make early examples of organisations for minor infringements, and that maximum fines won’t become the norm.
It may give organisations some comfort that in 2016/2017, the ICO dealt with 17,300 cases of alleged data protection infringements but only issued 16 fines. In addition, the ICO have never invoked their maximum powers.
Like the DPA, the GDPR gives the ICO a range of sanctions to help organisations comply, including warnings and corrective orders, and there is also the risk of reputational damage.
However, don’t let all of this make you too relaxed, as the ICO has also made clear that they won’t be afraid to use sanctions if organisations “play fast and loose” with people’s data!
True or false? You must have consent if you want to process personal data.
Consent is one “lawful basis” for processing data - it’s not the only way. There are 5 other, less publicised lawful bases:
- Contract- to comply with a contract with the “data subject” or because the data subject has asked you to do something before entering into a contract;
- Legal obligation- to comply with a common law or statutory obligation (not a contractual obligation);
- Vital interests (to protect someone’s life);
- Public task (most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest); and
- Legitimate interests- your’s or a third party’s.
If you do want to rely on consent, remember:
- Pre-ticked opt-in boxes are not indications of valid consent.
- You must make it easy for people to withdraw consent.
- You must explain the giving and withdrawal of consent in clear and plain language.
- Make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.
True or false? All personal data breaches will need to be reported to the ICO.
You are only obliged to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms. The GDPR does not explain exactly what that means, but the ICO’s Guide to GDPR gives some helpful pointers, including the need to consider:
- the impact/consequences of the breach;
- the nature of the data and how sensitive it is;
- how easy it is to identify the data subject from the data; and
- how many people are affected by the breach.
The ICO will also have a designated hotline to call for support and advice regarding whether it is necessary to report a breach.
Remember that you must report a breach without “undue delay” and, where feasible, not later than 72 hours after becoming aware of it.
When reporting, the ICO won’t necessarily expect full details, but they will want to know the potential scope and the cause of the breach and how you plan to address the problem and mitigate the breach.
Remember that if the breach is likely to cause a high risk to people’s rights and freedoms (e.g. if a person may suffer discrimination, damage to reputation, financial loss or any other significant economic or social disadvantage), you will also be obliged to report the breach to the individual(s) affected...
True or false? If you don’t report in time, a fine will always be issued and the fines will be huge.
Although the ICO can issue fines if organisations don’t report breaches and/or don’t report within the deadline, the ICO has emphasized that fines will be proportionate and won’t be issued for every infringement. Their message is that organisations can avoid fines if they are open and honest and report without undue delay. “Tell it all, tell it fast, tell the truth.”
True or false? 25 May 2018 is like Y2K
Unlike preparing for Y2K (and the widespread myths and panic which pre-dated that), the ICO has emphasised that GDPR preparation doesn’t end on 25 May 2018.
Although organisations must prepare and be ready for (G)D(PR) day, they must also keep on identifying privacy and security risks over time and implementing measures to avoid these in the weeks, months and years beyond May 2018.
What does this mean for you or your business?
Although there will be no “grace” period and compliance is expected from 25 May 2018, the ICO have been at pains to emphasise that they are a “fair and proportionate regulator”, who prefer a carrot to a stick approach. They should take into account matters such as self-reporting, cooperating with the ICO and demonstrating effective accountability arrangements when considering any regulatory action.
What should you be doing now?
Hopefully, you are ready or well on the way to being ready for GDPR.
However, some key things to consider are as follows:
- Audit what personal data you have, where it came from, how you “process” this and who you share it with.
- Review contracts with third party processors to ensure they’re compliant with GDPR.
- Think very carefully if you wish to rely on consent as your lawful basis for processing (especially in the employment/HR arena), and ensure that any consent is GDPR compliant.
- If you wish to rely on “legitimate interests” to process data, conduct a careful assessment first, including:
- identifying a legitimate interest;
- showing that the processing is necessary to achieve this; and
- balancing this against the data subject’s interests, rights and freedoms.
- In order to process special category data (currently known as sensitive personal data), you must identify a “lawful basis” and also satisfy one of a list of further (quite stringent) conditions.
The UK’s Data Protection Bill (which will become our new Data Protection Act in due course) suggests that having a GDPR-compliant internal Data Protection policy in place before carrying out any processing will satisfy one of those further conditions.
We would, therefore, strongly recommend having such a policy by 25 May, which should include an explanation of how you will comply with the data protection principles and your policies for the retention, including how long employee data will be retained.
- Think about accountability and demonstrating compliance. This might include:
- considering lawful bases for processing data (and documenting these);
- considering whether you need to conduct any Data Protection Impact Assessments;
- appointing a data protection officer (if needed);
- reviewing/updating external privacy notices and ensuing that you also have an internal privacy notice for employees; and
- ensuring that you have suitable procedures for identifying and reporting data breaches and responding to subject access requests.
- Assess/improve your cyber security.
- Train Staff – As with areas such as cyber crime, staff are your best defence and greatest potential weakness in complying with GDPR.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.