Data protection laws which came into existence before the massive increase in the use of social media, the internet and technology are set to be overhauled by the General Data Protection Regulations which come into force in May 2018.
Many businesses think that this won’t affect them or suspect that it is another attempt to impose a bureaucratic burden on them for something for no good reason, but this is a misconception, writes Ashley Harkus, partner at Everett Tomlin Lloyd & Pratt Solicitors Newport, Pontypool and Usk.
Every business will retain data of some sort whether it is about their employees, clients, potential clients or customers.
The level of information held will depend on the nature of the business, a shop may only hold the most basic information about their customers but a care home may hold very sensitive health records or private information which they have a duty to protect.
The purpose of the new regulations is to ensure that each business is aware of its responsibilities, identifies the data that it holds and why they are holding it and then put steps in place to ensure that the data is safe, accurate and held for an appropriate period of time.
For some businesses that hold, process or use a high volume of data or hold sensitive data and there are additional requirements that need to be met. They will need to appoint a person to oversee compliance, a data protection officer. Public authorities, organisations which carry out regular monitoring of individuals or businesses that have large scale processing of sensitive data, have to designate somebody.
The information commissioner’s office has produced some guidance on the steps that businesses need to take to be compliant. While this is a complex area, in brief the steps are as follows:
• Document the categories of personal data that you hold, where it came from and who you share it with. If that information is passed on to anybody else the regulations require businesses to maintain records of those activities and to correct any errors in personal data shared with other organisations
• Consider what you need to tell your clients or customers out the outset. Currently it is necessary to give people information about how you intend to use their data. The new regulations expand this to include information telling customers or clients why you have a lawful basis of processing data, how long you will keep it for and that they have the right to complain to the Information Commissioner’s office if they think there is a problem with the way that you handle the data
• Make sure you have procedures covering deletion of personal data and the rights of your customers or clients. Those rights will be expanded under the new regulations. At present customers or clients can make a subject access request and as long as they pay a fee are entitled to have a reasonable request complied with. Under the new regulations that time limit is cut to 30 days and generally no fee can be charged. Larger organisations which have a high level of these requests will need to consider their IT systems and potentially develop systems that allow people to access information online
• Consider why you hold data and for how long. The purpose of the regulations is to rebalance the retention of data so that individuals have more rights and preventing businesses from retaining or using data without good reason. Given recent large scale data breaches and the prevalence of cyber crime this appears to be a laudable aim.
Any business that currently encourages customers or clients to allow retention of data by pre ticked check boxes or consents within terms and conditions will find life much more difficult under the new regulations as that consent can not be given in the way in the new regulations. Consent will become an opt in and must be properly documented and easily withdrawn.
Every business will need to demonstrate that it has considered how long data will be retained for and have a method of safe destruction.
For the first time there is special protection for a child’s personal data. A parent or guardian must consent if that information is going to be used.
Data breaches which are potentially serious have to be notified to the information commissioner’s office. Failure to report a breach could result in a fine as well as a fine for the breach itself. While the information commissioner’s office has indicated that fines are not to be the first resort, powers within the regulations allowing a fine of up to four per cent of a businesses turnover are enough to make business owners pay serious attention to compliance.
Any business which is regulated or audited should expect to have questions asked about the GDPR and all businesses need to be aware of the regulations, take advice, and put steps in place in order to show compliance as anyone hoping for leniency in the early days of the regulations may be disappointed given the stance of Karen Round, head of private sector engagement of the information commissioner’s office who has said: “Day one is day one. It will be in force”.
It may seem like the new regime is some way off but all businesses need to start preparing for the steps that will be needed to avoid the consequences of a data breach.
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here