The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, across all EU member states including the UK. The new rules encompass the “right to be forgotten", "72-hour breach reporting", stronger consumer consent around personal data, and the prospect of substantial fines. The UK currently relies on the Data Protection Act 1998, which will be superseded by the new legislation. The GDPR will apply to UK companies despite Brexit looming, and is the first global data protection law as it relates to any company processing the information of EU citizens.
How prepared are businesses?
A survey by Ipsos MORI published in January 2018, found that only 38 per cent of businesses have heard of the GDPR. The results varied significantly between organisations; with there being a positive correlation between the size of an organisation, and overall awareness of the upcoming regulation.
Research published by the Federation of Small Businesses (FSB) in February 2018, indicates that a staggering ninety percent of small companies are still not prepared for the new data regulation. A third (33 percent) of small businesses have not yet started preparing for the introduction of the GDPR, with a further third (35 percent) conceding they are only in the early stages of preparations. Only eight per cent of small businesses have completed their preparations for the regulation.
Impact of non-compliance
Not all infringements will lead to serious fines. The Information Commissioner’s Office (ICO) has a range of corrective powers including; issuing warnings; imposing bans on data processing, and ordering erasure of data. However severe infringement could lead to fines of up to €20 or 4% of annual turnover. Small companies with fewer than 250 employees are to be granted some exceptions, but the overriding principles still apply.
Preparing for the GDPR
With less than 3 months to go, here are several steps which will reduce the likelihood of non-compliance with the upcoming regulation, and their associated fines:
1) Conduct a data audit – Identify all customer data held by the business, including where it is stored, how the data is being used, and what consents you’ve asked for. The new legislation widens the scope of what constitutes 'personal data', and for example includes the logging of 'IP addresses'.
2) Consider hiring a data protection officer (DPO) - Small business are not legally required to hire a data protection officer, however it may be beneficial to businesses to allocate ownership of business data obligations. The role should encompass advising on data protection laws, monitoring compliance through internal audits, and ensuring the communication of prospective breaches to relevant authorities, and in a timely manner.
3) Train your staff - Ensuring that employees have clarity on their obligations is a key aspect of the GDPR. The ICO (Information Commissioner's Office) indicates that staff training demonstrates compliance. Staff training also has the added benefit of lessening the possibility of a data breach.
4) Design a data policy – Implementing simple policies and procedures around the handling of all data should be documented and covered as part of staff training.
5) Implement a 'data breach notification process' - Once an organisation is aware of a personal data breach, it is going to have to act very quickly indeed. The GDPR introduces a duty on all organisations to report certain types of personal data breaches to the relevant supervisory authority within 72 hours.
6) Consider the 'right to be forgotten' - Individuals can ask an organisation to delete or remove their personal data. Ensuring that processes are in place to facilitate this requirement is a key component of the GDPR. There is currently an interesting test case in which a businessman has taken Google to the High Court in London, in what is being seen as a landmark case over the 'right to be forgotten'.