May 25 2018 will mark a major divide in how businesses handle user data. This is because on this day, a new data protection bill, namely the EU General Data Protection Regulation (GDPR), will take full effect.
While it may seem like another legal formality, it is anything but and it will still apply after Brexit.
What’s the story?
The new GDPR regulations will widen the definition of personal data. Any information relating to a person or data subject, that can be used to directly or indirectly identify the person is affected. In addition to the usual suspects (name, picture, email address, contact number), GDPR also includes an individual’s computer IP address and mobile device identity making these protected under the bill.
What you can’t do anymore
Businesses cannot collect an individual’s data without their consent. This means that adding an individual’s information into your system via their business card for example is prohibited, unless you can demonstrate they have consented to it. IP addresses are explicitly mentioned as forms of data protected under GDPR. This means that you can’t store an individual’s IP address, unless of course, you have their consent. You are responsible for demonstrating their consent.
What are the penalties?
As with any legislative breach, businesses can expect to face a penalty if the regulations are not followed. A personal data breach is defined as being ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. Larger fines for a serious breach will be up to four per cent of an organisation’s annual worldwide turnover or €20 million, whichever is greater.
Five things you need to do now
- Appoint a data protection officer. Whether you appoint someone from within your business or bring in expert help, if you have more than 250 staff then this is obligatory. They will be responsible for implementing data safeguards and secure handling of data.
- Document your data. Document what personal data your business holds, where it came from and who it’s shared with. Update procedures to cover how you would delete personal data and review how you are obtaining and recording consent. As part of demonstrating compliance, GDPR requires data controllers and data processors to maintain a record of processing activities containing certain information and make it available on request to the supervising authorities.
- Train your staff . Make sure that decision-makers and key people in your business are aware that the law is changing and the impact this is likely to have. Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments.
- Conduct due-diligence on your supply chain. Ensure all your suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties. You’ll also need to ensure you have the right contract terms in place with suppliers (which puts important obligations on them, such as the need to notify you promptly if they have a data breach).
- Look hard at your security measures and policies. When a security breach threatens the privacy of someone on your files how would you report this and communicate the breach? What data encryption measures do you have in place to prevent unauthorised access to data?
It’s easy for small companies to see the GDPR as a burden, but it applies to any business with personal data of EU citizens. This includes customer, supplier, partner and employee personal data.
It’s also important to note that even if you’re a small business, if you’re contracting with a larger company which conducts large-scale data processing you may be subject to the harsher end of the GDPR’s regulation.
Insolvency will be a real risk for non-compliant businesses as a result of these fines. But bear in mind the possibility that individuals can also sue you if they suffer as a result of your data management. This could be for material damage or non-material suffering, such as distress.
We can help you put your business in order ready for the May GDPR deadline. For a full presentation on GDPR Compliance or for advice on anything from drafting GDPR compliant record documents to privacy notices and employment advice contact our specialist solicitor Tim Wolley on 01782 200007 or email firstname.lastname@example.org
For more information about the full range of legal services available here at Bowcock & Pursaill Solicitors call 01538 399199 or email email@example.com.