• Gdpr
  • May 13, 2019

One year on...Why GDPR non-compliance could cost you your business

By Lawbite Team

Talk to a Lawyer Free Legal Help
article
A data protection breach post-GDPR is a threat to any business, make sure you understand the consequences… The first anniversary of the implementation of the General Data Protection Regulations (GDPR) is on 25 May 2019. Organisations of any size who process personal data have obligations to comply with the GDPR, which includes a prohibition on unlawful processing of personal data.  GDPR places ongoing obligations on businesses, who must remain proactive and accountable for that processing.  [For more information about how the GDPR may affect your business, please see our earlier blogs. In brief, personal data is information that can identify a living individual, such as name, contact details such as email addresses, IP addresses, biometric information, data about health, finances, race, ethnicity, etc. Processing includes collecting, using, sharing, storing and deleting data.  It is unlawful to process personal data without a lawful basis. There are six lawful bases, which are set out in the GDPR (including processing under a contract, with consent or where there is a legitimate interest). Despite the publicity campaigns and best efforts of the Information Commissioner’s Office (ICO) and professionals to inform organisations of their compliance obligations, there are rough estimates that about half of all organisations were not compliant as at May 2018.  While this figure is likely to have shrunk as more organisations have tried to get their houses in order, there will also be a proportion of those who were initially compliant who are no longer in such good shape and have not continued to remain compliant (for example if business practices have changed or if the legal basis for processing personal data is no longer valid).  

Fines for non-compliance - is your business at risk?

ICO has extensive powers to investigate and fine organisations up to £17m or 4% of global turnover for breaches of the GDPR (as well as carry out other enforcement activity).  Since May 2018, fines have been issued against organisations such as Bounty (UK) Limited (£400,000), Vote Leave Campaign (£40,000) as well as individuals (for unlawful data sharing/use such as sending client details to home email addresses) among other penalties.  As a number of these offences were under the previous legislation (the Data Protection Act 1998), the fines levied were lower than they could have been under the GDPR. ICO have said that their aim is not to catch organisations out, but rather enforce the objectives of the GDPR to protect individuals’ personal information.  If ICO receives a complaint or tip-off about unlawful processing of personal information by an organisation, if that organisation has up to date records and processes in place (and follows those policies), this will mitigate the risk of the imposition of any penalties and fines by ICO.   

Obligation to pay ICO’s Registration Fee

The GDPR also places an obligation on organisations who process personal data to pay a fee to ICO (ranging from £35 to £2,900 depending on the size of the organisation and the nature of the processing).  ICO has started to issue fines for non-payment of the fee to organisations across a range of sectors including business services, construction, finance, health and childcare. Between September and November 2018, ICO reported having issued more than 900 notices of intent to with more than 100 penalty notices are being issued in that first round. Organisations are reminded to pay the fees owing or face enforcement action from ICO!

How are organisations faring on GDPR compliance?

An independent organisation, Global Privacy Enforcement Network (GPEN) carries out an annual intelligence-gathering operation, which looked at how well organisations have implemented the core concepts of accountability into their own internal privacy policies and programmes.  The results of the 2018 study showed that the 356 organisations in 18 countries who replied to their study followed the following trends:
  • Monitoring the internal performance of data protection standards was poor, with about 25% of respondents having no programmes in place to conduct self-assessments and/or internal audits.
  • While there was a generally high proportion of organisations providing initial training to staff, there was often a failure to provide refresher training to existing staff.
  • The organisations who carry out good practice have monitoring programmes in place, including carrying out annual audits or reviews and/or regular self-assessments.
  • However, nearly half of the respondent organisations did not keep adequate records of all data security incidents and breaches, with a number reporting that they had no processes in place to deal with data security incidents.
ICO carried out its own survey with 28 organisations across various sectors in the UK, and came to the following conclusions:
  •  Only 67% of organisations who provided a response said that they conduct regular self-assessments or audits of internal data protection standards and practices, and only 67% indicated that they maintain inventories of personal data held.
  •  83% of UK organisations who responded to the ICO’s queries indicated that they have implemented an internal data privacy policy and ensure that staff receives data protection training.

How can organisations demonstrate that they remain compliant? 

The key way of remaining compliant is by keeping protection of personal data at the heart of any processing activity, and for organisation to remain aware of what data they hold, for what purpose and what is done with that data.  Put simply this can be done by:
  • Taking GDPR compliance to the heart of the organisation, with management taking responsibility.
  • Understanding what obligations organisations have on processing personal data, and how that affects the organisation itself.
  • Knowing what data is held, who it relates to and how it is held and shared (and checking this at least annually – and recording those checks).
  • Only processing data in accordance with lawful basis and the GDPR (including when dealing with third parties). 
  • Remaining transparent and informing individuals of what personal data is held about them, why and what is done with that data.
  • Having systems and policies in place (including technical measures such as security) to deal with how and what data is processed (and keeping this under regular review).
  • Recording decisions made about how data is processed.
  • Regular training (and refresher training) and monitoring of staff to remind and test on their compliance.
  • Acting swiftly to protect individuals’ rights over their personal information (including dealing with requests for information and dealing correctly with breaches). 
  • Testing and auditing data protection measures and using audit results and metrics to demonstrate compliance. 
                     At LawBite, we can help guide businesses through the maze of initial compliance and with the process of remaining compliant with the GDPR obligations. Find out more about our GDPR legal advice services to help your business become fully compliant. While if you remain somewhat uncertain about your position regarding the full compliance of your data protection procedures you can check your position via our handy GDPR Checklist.  For further business legal advice and legal contract reviews, please enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team.
The author of this article is expert LawBrief Rachel Robinson. Rachel has over 20 years’ experience of providing company commercial law advice, including drafting contracts, data protection and competition law to organisations of all sizes, ranging from FTSE100 companies to owner-managed small business.    

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.



Related Articles

Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By Lawbite Team
  • September 20, 2021
How to Gain Consent Under the GDPR

Even several years after the introduction of the General Data Protection Regulations (GDPR) in 2018, there is still a lack of understanding about h...


Gdpr
blog image
  • By Lawbite Team
  • September 15, 2021
How to Run a Data Subject Access Request (SAR)

Whether you are a small, medium, or large organisation, receiving a subject access request (SAR) or data subject access request (DSAR) and handling...


Gdpr
blog image
  • By Lawbite Team
  • September 15, 2021
What are the Privacy and Electronic Communications Regulations 2003?

In the era of digital communication and big data, it is more important than ever to protect the rights and privacy of customers, whether these are ...


Gdpr

LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk to a Lawyer

Book a Call
defend a claim

Essentials Plan