Are you Data Protection fit?July 19, 2017
Next year heralds a new dawn when it comes to data protection as the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Its aim is to address the significant advances in information technology, the ways individuals and businesses communicate and share information since the last EU Directive on data protection was issued back in 1995.
Will Brexit affect its implementation? No. The UK agreed to sign up to it back in April 2016 (so pre-Brexit). The government has since confirmed it will implement the GDPR when we leave the EU.
For many organisations compliance will require you to make wide-ranging changes, which may include redesigning systems that process personal data, and renegotiating contracts with third party data processors. Such changes will require time to implement. Last year The Information Commissioner's Office published a statement recommending businesses start their preparations back then in order to meet the May deadline. Here at Burroughs Day we’ve had a working party methodically working through what we need to do since last summer.
Many of the existing core concepts about data protection will remain. But the GDPR introduces new obligations on how you gather and handle information, and strengthens individuals' rights .
Some of the key important changes you need to be aware of are:
This is about you having someone’s consent to hold and process personal information about them. The main change here is that consent will be harder to obtain. For your staff, consent is usually obtained including a clause in your contracts that they then sign.
However, the GDPR requires a very high standard of consent. Consent must be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of their agreement to their personal data being processed.
The burden of proof that consent was validly obtained is on you. Getting staff to simply sign a contract containing a data protection clause is no longer likely to be enough. Our suggestion is you have a document separate to the contract that you issue to staff, give them time to consider and then sign.
From next year individuals will also have the right to withdraw their consent at any time. It must be as easy for them to withdraw consent as to give it.
- The right to be forgotten
In certain circumstances individuals will have the right to request that you delete personal data that you hold about them. For example, the data is no longer necessary for the purpose for which it was collected - copies of references maybe - or the individual withdraws their consent.
It isn’t entirely yet clear how this right will work in practice. But, what does mean is you will need to have a procedure for monitoring:
- what data you hold;
- how you hold it; and
- where it is held,
as well as a process for how you are going to delete the data.
- Data subject access requests
These can be a useful weapon for disgruntled employees and can incur a significant amount of time (and cost) for you. At the moment you have 40 days from receipt of a £10 fee (if you charge one) in which to comply with the request.
The GDPR will usher in several key changes:
- Firstly, the data must be provided free of charge, unless the request is ‘manifestly unfounded or excessive’, in which case you can charge a reasonable fee, or refuse to act on the request.
- You will have to demonstrate a request is manifestly unfounded or excessive. Given the whole point is about giving people access to information this could be high threshold to overcome.
- The time limit for compliance will change from 40 days to ‘without undue delay and in any event within one month’. Given that many employers struggle to meet the 40-day deadline, this is likely to cause problems. However, the period may be extended by two further months where necessary, taking into account the complexity and number of requests.
- Another change is if the request is submitted electronically, the information must be made available in electronic form (unless they’ve requested otherwise).
- Strict data breach notification rules
You will be required to notify the National Data Protection Authority (likely to be The Information Commissioner’s Office) of all data breaches without undue delay and where feasible within 72 hours. If this is not possible you will have to justify the delay to the ICO by way of a ‘reasoned justification’.
In some circumstances you will also have to notify this individual concerned. If they are an employee this could result in them raising a grievance. In some cases, the breach may entitle them to resign and bring an unfair dismissal claim.
So you will need to develop and implement a data breach response plan designating specific roles and responsibilities, training employees, and preparing template notifications so you and your staff can react promptly in the event of a data breach.
Getting it wrong could be very costly. Currently, the maximum fine for a data protection brief in the UK is £500,000. The GDPR significantly increases this to up to the greater of 4% of turnover or €20 million.
Basic things to think about and action now
- Is the information we hold about your clients, suppliers and staff held securely?
- Is the information accurate and necessary?
- Do you have a written process for checking and updating data?
- Do you have a written process for destroying an individual’s data?
- Do you have adequate written risk assessments regarding data security?
- Have you given your staff basic data protection training? Doing so can help show you take data protection seriously, and could help to defend allegations of a breach.