A data protection breach post-GDPR is a threat to any business, make sure you understand the consequences…
The first anniversary of the implementation of the General Data Protection Regulations (GDPR) is on 25 May 2019. Organisations of any size who process personal data have obligations to comply with the GDPR, which includes a prohibition on unlawful processing of personal data. GDPR places ongoing obligations on businesses, who must remain proactive and accountable for that processing. [For more information about how the GDPR may affect your business, please see our earlier blogs].
In brief, personal data is information that can identify a living individual, such as name, contact details such as email addresses, IP addresses, biometric information, data about health, finances, race, ethnicity, etc. Processing includes collecting, using, sharing, storing and deleting data. It is unlawful to process personal data without a lawful basis. There are six lawful bases, which are set out in the GDPR (including processing under a contract, with consent or where there is a legitimate interest).
Despite the publicity campaigns and best efforts of the Information Commissioner’s Office (ICO) and professionals to inform organisations of their compliance obligations, there are rough estimates that about half of all organisations were not compliant as at May 2018. While this figure is likely to have shrunk as more organisations have tried to get their houses in order, there will also be a proportion of those who were initially compliant who are no longer in such good shape and have not continued to remain compliant (for example if business practices have changed or if the legal basis for processing personal data is no longer valid).
Fines for non-compliance – is your business at risk?
ICO has extensive powers to investigate and fine organisations up to £17m or 4% of global turnover for breaches of the GDPR (as well as carry out other enforcement activity). Since May 2018, fines have been issued against organisations such as Bounty (UK) Limited (£400,000), Vote Leave Campaign (£40,000) as well as individuals (for unlawful data sharing/use such as sending client details to home email addresses) among other penalties. As a number of these offences were under the previous legislation (the Data Protection Act 1998), the fines levied were lower than they could have been under the GDPR.
ICO have said that their aim is not to catch organisations out, but rather enforce the objectives of the GDPR to protect individuals’ personal information. If ICO receives a complaint or tip-off about unlawful processing of personal information by an organisation, if that organisation has up to date records and processes in place (and follows those policies), this will mitigate the risk of the imposition of any penalties and fines by ICO.
Obligation to pay ICO’s Registration Fee
The GDPR also places an obligation on organisations who process personal data to pay a fee to ICO (ranging from £35 to £2,900 depending on the size of the organisation and the nature of the processing). ICO has started to issue fines for non-payment of the fee to organisations across a range of sectors including business services, construction, finance, health and childcare. Between September and November 2018, ICO reported having issued more than 900 notices of intent to with more than 100 penalty notices are being issued in that first round. Organisations are reminded to pay the fees owing or face enforcement action from ICO!
How are organisations faring on GDPR compliance?
An independent organisation, Global Privacy Enforcement Network (GPEN) carries out an annual intelligence-gathering operation, which looked at how well organisations have implemented the core concepts of accountability into their own internal privacy policies and programmes. The results of the 2018 study showed that the 356 organisations in 18 countries who replied to their study followed the following trends:
- Monitoring the internal performance of data protection standards was poor, with about 25% of respondents having no programmes in place to conduct self-assessments and/or internal audits.
- While there was a generally high proportion of organisations providing initial training to staff, there was often a failure to provide refresher training to existing staff.
- The organisations who carry out good practice have monitoring programmes in place, including carrying out annual audits or reviews and/or regular self-assessments.
- However, nearly half of the respondent organisations did not keep adequate records of all data security incidents and breaches, with a number reporting that they had no processes in place to deal with data security incidents.
ICO carried out its own survey with 28 organisations across various sectors in the UK, and came to the following conclusions:
- Only 67% of organisations who provided a response said that they conduct regular self-assessments or audits of internal data protection standards and practices, and only 67% indicated that they maintain inventories of personal data held.
How can organisations demonstrate that they remain compliant?
The key way of remaining compliant is by keeping protection of personal data at the heart of any processing activity, and for organisation to remain aware of what data they hold, for what purpose and what is done with that data. Put simply this can be done by:
- Taking GDPR compliance to the heart of the organisation, with management taking responsibility.
- Understanding what obligations organisations have on processing personal data, and how that affects the organisation itself.
- Knowing what data is held, who it relates to and how it is held and shared (and checking this at least annually – and recording those checks).
- Only processing data in accordance with lawful basis and the GDPR (including when dealing with third parties).
- Remaining transparent and informing individuals of what personal data is held about them, why and what is done with that data.
- Having systems and policies in place (including technical measures such as security) to deal with how and what data is processed (and keeping this under regular review).
- Recording decisions made about how data is processed.
- Regular training (and refresher training) and monitoring of staff to remind and test on their compliance.
- Acting swiftly to protect individuals’ rights over their personal information (including dealing with requests for information and dealing correctly with breaches).
- Testing and auditing data protection measures and using audit results and metrics to demonstrate compliance.
At LawBite, we can help guide businesses through the maze of initial compliance and with the process of remaining compliant with the GDPR obligations.
Find out more about our GDPR legal advice services to help your business become fully compliant.
While if you remain somewhat uncertain about your position regarding the full compliance of your data protection procedures you can check your position via our handy GDPR Checklist.
The author of this article is expert LawBrief Rachel Robinson.
Rachel has over 20 years’ experience of providing company commercial law advice, including drafting contracts, data protection and competition law to organisations of all sizes, ranging from FTSE100 companies to owner-managed small business.