New data protection laws will place additional demands on businesses and can impose harsher penalties for non-compliance. Retail expert Adam Bernstein offers his advice
Data protection law has recently been updated by Europe and will be in place in less than two years. Despite Brexit, businesses need to be aware of the changes, as penalties for breaches will be severe and compliance will take time.
The European Union’s General Data Protection Regulation (GDPR) will directly affect all member states from May 2018. But will it still matter post-Brexit? Well, Culture Secretary Karen Bradley formally stated before a House of Commons committee last October: “We will be members of the EU in 2018 and it would be expected and quite normal for us to opt into the GDPR.”
Andrew Gallie, a senior associate at Veale Wasbrough Vizards, which specialises in information and data protection law, says the GDPR is not a monster, but it needs to be taken seriously. “Organisations that breach the law could face a fine of up to four per cent of annual worldwide turnover or €20 million – whichever is the greater.”
This is markedly higher than the £500,000 that the Information Commissioner (ICO) can levy now – and fines are being levied. The majority are imposed because of security breaches and a failure to take data protection seriously. TalkTalk was fined £400,000 in October last year after its cyber-attack, for example.
The Data Protection Act 1998 (DPA) requires that personal data is: processed fairly and lawfully; obtained and used for specified and lawful purposes only; adequate, relevant and not excessive in relation to their purposes; accurate and up-to-date; not kept for longer than is necessary; processed in accordance with the individual’s rights; kept secure; and not transferred outside of the EEA (European Economic Area) without adequate protection.
Mr Gallie adds that there are other points to note: “There are extra obligations when handling sensitive personal data, such as information about ethnic origin, sexual life, trade union membership, etc. Individuals also have the right via a Subject Access Request (SAR) to find out what information is held about them.”
Mr Gallie believes that the GDPR should act as a catalyst for a review of current practices – “those that leave the critical preparation until the last minute could find they won’t be compliant in time”.
He adds that the GDPR “requires ‘data protection by design’ and operates on an ‘accountability principle’, which will require firms to show they have effective policies and procedures”.
Individuals have a right to know what is going to be done with their data, and who it is going to be shared with. A website privacy notice can tell people about this. Mr Gallie adds: “Firms will need to tell data subjects – users – the legal basis for processing their data, the data retention period, and of their right to complain to the Information Commissioner. There is also a requirement that the privacy notice is concise, easy to understand and in clear language.”
The GDPR also confers new rights, such as having inaccuracies corrected, information erased to prevent direct marketing, and a right to data portability.
For many, the most challenging area is that of “consent” and Mr Gallie says that consent to use personal data cannot be inferred from silence, pre-ticked boxes or inactivity. “The GDPR requires that consent must be freely given, specific, informed and unambiguous. If a firm is going to rely upon ‘implicit consent’, then it must be ready to deal with a challenge as to how unambiguous the consent was.”
Further, if an organisation collects information about children (in the UK, this will probably be those under 13), then it will need a parent’s or guardian’s consent and the language used in the privacy notice must be capable of being understood by children.
There is presently no obligation to report any data breaches, but the GDPR creates an obligation to report any that could cause an individual harm within 72 hours. “Firms should consider how they would deal with this new obligation,” says Mr Gallie. “They should be asking: How secure are their systems? What training do staff have? Is personal data encrypted? What breaches might result in an obligation to report? How would the harm to individuals be mitigated? Do the procedures in place around data breaches allow these obligations to be met?”
One solution to compliance, reckons Mr Gallie is to “appoint a capable, interested person with responsibility for ensuring obligations are met”.
The GDPR is a real and present threat to firms of all sizes and the financial consequences of ignoring the new rules are severe. But those that plan ahead should have little to worry about.