The General Data Protection Regulation (GDPR) comes into force later this week on 25th May - bringing outdated personal data rules up to speed with an increasingly digital era. Here, data protection specialist at Gotelee Solicitors, Victoria Spellman highlights some of the potential pitfalls of the new rules.
GDPR builds on existing data protection regulations and brings them up to speed for an age where there is so much more personal data out there. Images can go viral in a matter in minutes and personal information can be posted on social media and seen across the world. The new rules provide protection for individuals in terms of giving them greater control of their personal data and holds the holders this data - be it businesses or individuals - to greater account.
Subject access requests
At the moment individuals are entitled to be told what data people are processing about them and to request copies of that information.
For businesses this request could come from customers, members of the public and even employees.
Subject access requests are often used in employment disputes, because personal data will include expressions of personal opinion. This includes e-mail conversations where maybe derogatory statements about a person have been made.
And even though this information may ultimately be damaging to your business you still have to release it.
This doesn’t mean a business has to archive every e-mail that comes and goes and if as a matter of fact they are deleted in accordance with the organisation’s data retention and deletion policy and can’t be retrieved, so be it.
But at the point when a request for information is made, GDPR makes it a criminal offence to tamper with that information.
This puts an onus on businesses to get their house in order so they are able to access this information should they receive such a request.
Ultimately, if you know you have someone’s personal data, but you can’t find it and you are not sure why you have it, then you are automatically in breach of the principles of data protection.
The advent of GDPR is reminder that organisations need to have several areas of the business working together. First, there is the IT department who are key in ensuring IT security such as putting firewalls, installing anti-virus software and locking down devices. Then there is also an HR piece, which involves staff training and developing a breach reporting policy - so employees know what to do if there is a data breach, how to react if they lose a company phone or laptop and how to secure their data and formulate safe passwords.
Tightening up on consent
Current data protection regulations outlaw unsolicited business to consumer marketing and here the term consumers includes sole traders and smaller partnerships. Where a consumer approaches your business and requests information about a certain event or service, you as a business cannot then decide to put that person’s details on a database and electronically market to them in the future.
Consent is required to electronically market to consumers - and what many businesses do is contact that person with a request for consent so they can continue to market to them. A typical request goes along the lines of: “Would you be happy to receive related information from us in the future?”. However, the Information Commissioner, the body responsible for policing the data protection legislation has said that asking for consent to e-mail marketing, via e-mail, when you do not have the correct consent is place, is itself marketing and will break the law!
But what has been a grey area up until now is what exactly is meant by ‘consent’.
In the past, some businesses have attempted to say that if you don’t untick a box, where consumers have automatically been registered, then that amounts to consent.
Now GDPR clarifies the situation and raises the bar in this regard.
It makes it clear that from now on businesses require a ‘clear, affirmative action’ for it to amount to a valid consent - this means people actually need to tick the box.
Greater transparency
Another aim of GDPR is to try and stop the trade in illicit data where organisations are using people’s personal data for reasons they haven’t given their consent for. The Cambridge Analytica scandal, where Facebook profiles were allegedly used without permission to target US voters, has brought this whole area into sharp focus.
GDPR states that data should be processed lawfully, fairly and transparently - meaning there is an obligation on businesses to inform individuals what they are doing with their data and who they are going to transfer it to.
This means there is a requirement to provide more detail and not just state that the information will be sent to ‘third parties’.
So, if the information is to be sent to a certain individual then that person must be named or if it is a business then individuals must be informed of the category of that business, e.g. insurers for the purposes of....
Once the data is with these third parties, they then have a month to contact the individual to inform them how they intend to use their personal data.
Don’t get hung up on the threat of fines
While the Information Commissioner’s Office has said it will fine people and businesses who don’t fall in line with GDPR, it is not in the business of slapping fines on people who are trying to comply. It’s not what they are about.
When it comes to the criteria for issuing fines, the first thing that is looked at when there is a security breach is how serious it is and how far-reaching.
So, if you are a business to business operation and the data you have is e-mail addresses, then you are unlikely to have done too much harm if there is a breach. You won’t have affected people’s privacy in anywhere the same way as if you had revealed thousands of people personal bank account details.
The next fining criteria asks whether the security breach is negligent, deliberate or reckless.
If you can show that you have had board meetings about data security, have put policies in place and have attempted to deal with the problem, then you are unlikely to face a fine.
The high value fines that people have read about relate to the larger organisations who have made serious errors or people who are making a lot of money from selling data. These fines are not aimed at smaller businesses.
You have to try and get it right and if you are struggling the Information Commissioner’s Office can come in, offer informal advice and issue enforcement notices to say ‘get on and do it’. And if you ignore all that then they might issue a fine.
The biggest fines that have been issued relate to one person who sent 99.5 million unsolicited, automated telephone calls and was fined £400,000.
Mobile phone operator Talk Talk was handed a fine of the same amount after a data breach in October 2015 when a cyber attacker accessed the personal data of 156,959 customers. The ICO ruled that the company had failed to take basic steps to protect this information.
You’ve really got to be going some to attract anywhere near this level of fine.
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here