Posted by Sharon Cooper, corporate compliance manager at Legal Futures Associate, the Chartered Institute of Legal Executives [1]
Cooper: Huge potential fines
The EU General Data Protection Regulation (GDPR) comes into effect in May 2018. It takes the existing Data Protection Act 1998 (DPA) principles to the next level and will enforce heavy fines on any non-compliant organisation.
On 13 September 2017, the government introduced the Data Protection Bill. If enacted, the bill will repeal and replace the DPA and supplement the GDPR.
The existing DPA and the new EU regulation are all about data privacy and the rights of the individual. The key changes are:
- A data protection officer must be appointed if your organisation processes client/customer data; however, this does not need to be a dedicated role and in many cases the role can be taken by the risk/compliance officer;
- Data protection impact assessments become mandatory for data processors before data collection in ‘certain situations’. As yet, the ‘certain situations’ aspect has not been defined by the Information Commissioner’s Office (ICO);
- Data processors will become accountable for breaches to data that is managed by a third party if they have not shown due diligence in appointing and managing the third party;
- ‘Privacy by default’ requires data controllers to implement appropriate measures to ensure that only necessary personal data is processed. As with the existing DPA principles, the term ‘appropriate’ has not been defined and is open to interpretation;
- Data portability means that, on request from the ICO, relevant data should be provided to it in an easily accessible (but secure!) format; and
- Data breaches must be notified to the ICO within 72 hours of discovery. However, the GDPR does not define what level of breach should be notified to the ICO.
Here at CILEx, we are checking that our own processes are robust enough to limit breaches occurring. Appropriate policies, procedures and systems considering privacy must be in place for existing systems, and considered at the outset for future product or process development.
The ‘right to be forgotten’, meanwhile, requires controllers completely to remove data if the data subject withdraws their consent, and when data is no longer necessary for the purpose for which it was collected.
Under the existing DPA, the maximum potential fine was set at £500,000, although as yet this has not been enforced. In September 2017, the value of fines issued for DPA-related offences totalled £740,000.
Readers should note that the GDPR will change the amount and way in which fines are issued. There will be a two-tier system, with the highest-tier fines limited, initially, to a maximum of €20m or up to 4% of the total worldwide annual turnover of the preceding year, whichever is higher. It is important, therefore, that all businesses get their compliance right.
What you can do to ensure that you are ready to comply with the GDPR
Here at CILEx, we are asking each team the following questions:
- Who is responsible for data protection/ data privacy in your area?
- Is your DPA policy and your privacy assessment statements up-to-date?
- What systems do you use and what data do you collect?
- Why do you collect the data?
- How do you store the data, is it secure and how often do you check that it is still required?
- When obtaining information from clients/customers, do you let them know how you will use their information?
- Are team members trained in DPA principles and reminded regularly of the principles?
- Who deals with subject access requests, and have they been dealt with in accordance with the DPA?
- Do you share data with a third party, and if so how do they comply with the DPA?
The answers to the above questions will provide the basis for a plan of action. You may wish to adopt this approach in your organisation to ensure that you are well on the way to complying with the GDPR. I wish you good luck!
Although this article gives an overview of some of the changes to the DPA, it is not comprehensive. Readers must seek clarification from the ICO regarding their own organisational requirements.