Digesting data protection in the UK
Following the implementation of GDPR, smaller businesses, particularly with suppliers, customers and users in the EU, need to pay much closer attention to compliance. Even smaller companies that may not expect to be on the ICO’s radar, may well find that customers, business partners and investors expect them to demonstrate their compliance.
What do smaller businesses need to be aware of? We look at:
- Data protection law – a quick recap of the changes
- Brexit – will it all change again?
- Steps even small business should take
- Why invest in data protection?
- How we can help
Data protection law – a quick recap of the changes
The Data Protection Act 1998 governs the use of personal information by businesses and other organisations. Anyone who processes personal information must comply with the eight principles, which include being clear on the purpose for processing, record-keeping, upholding individuals’ rights and importantly, data security. Since 2010, the ICO has had the power to issue monetary penalties up to a maximum of £500,000 for serious breaches. Companies with low turnovers are not exempt.
The GDPR has direct effect across all EU member states and businesses will continue to be bound by its principles and obligations under UK law after Brexit.
So what has changed after GDPR?
Data subject rights have proliferated and a full spectrum of reporting obligations introduced. However, what most businesses will be concerned about are the new monetary penalties, leaving organisations in serious breach with potential fines of the higher of 20 million Euros or 4% of annual global turnover. Not to be overlooked is the aggravation and bad publicity which arises under the process.
Brexit – will it all change again?
In short, current obligations will remain in place so practically there will be little change.
But if you receive data from an organisation in the EEA, the sender will need to comply with the EU regime and apply adequate safeguards. If the EU makes a formal adequacy decision before Brexit, there will be no need for specific safeguards.
Can we still transfer data to and from Europe if we leave without a deal?
The government has said that transfer of data from the UK to the EEA will not be restricted. However, if there is no Brexit deal, GDPR transfer rules will apply to any data coming from the EEA into the UK so you will need to consider what safeguards to put in place to ensure that data can continue to flow.
Steps even small business should take
If you haven’t done so already, you urgently need to review your data protection policy, security and procedures for responding to data breaches. We outline the minimum steps every business should take, no matter how small their turnover.
Data protection compliance officer
A Data Protection Officer is tasked with monitoring compliance with data protection law, training employees and handling complaints.
The requirements to appoint a data protection compliance officer and to complete a formal processing impact assessment are imposed on organisations engaged in “high risk” activities or which process special categories of personal data (such as health records) or engage in significant profiling or monitoring of individuals.
For many smaller businesses it may not be necessary to appoint a DPO. However, with the number of complaints from consumers received by the ICO on the rise, it may be worth appointing a DPO to stay on top of your data compliance and minimise the risk of fines.
You must publish contact details for your DPO on your organisation’s website, make them easily accessible to your employees and communicate them to the ICO.
In order to comply with GDPR all businesses and self-employed individuals should keep accurate and up-to-date records.
Due diligence includes mapping any data flows, identifying the data security structures and defining access rights and authorisations etc. This basically comes down to carrying out something similar to a smaller scale impact assessment.
This is one of the key operational requirements of the law. This applies not only to the technical security measures that an organisation has to put in place to secure personal data it stores but also the organisational measures – access rights, access controls, authorisation levels, dissemination and access policies, monitoring, audits, training of staff etc. Do you know who has access to information within your organisation?
Data Processing agreements
These are required in any case where an organisation allows another organisation to access, store or use personal data records. Cloud computing providers, IT system services and support providers, data analysis services and other third parties that may have access to your consumer or employee data have to sign data processing agreements that comply with the requirements of GDPR.
Check that you have obtained adequate consent from data subjects. Failure to obtain correct consents and implement adequate data processing agreements will likely result in a call from the ICO. It is not worth risking a business-crippling fine.
Why invest in data protection?
There is a pattern emerging not only with the ICO, but other regulatory bodies such as the FCA. Rather than wait for a breach and then face penalties, regulators are looking for companies to take pro-active and positive steps to ensure compliance.
As GDPR sets a high standard, meeting its requirements will go a long way towards compliance with the privacy laws of almost any other country so it is worth taking the time to make your business compliant.
Many smaller businesses do not invest in becoming GDPR-compliant. The risks of not taking any action are only too clear in the ICO’s list of recent fines and the increasing number of larger companies succumbing to insolvency as a result of data breaches.
How we can help
Many of the compliance tasks can be undertaken primarily by your organisation internally. Carrying out the due diligence, documenting processes and systems, putting in place control systems, authorisation levels etc. and writing and compiling policy papers and records as required by the legislation are tasks that will require access to operational personnel information and would be time consuming.
We can assist with:
- providing guidance;
- reviewing and commenting on operational documentation such as data retention policies, IT security policies, data sharing and access rights policies;
- communicating with regulators (for example, if there is an audit, investigation or a complaint against the business or an individual); and
- addressing data subject access requests, including what you do and don’t need to disclose.
We can also help with handling complaints, responding to contact from the ICO, and minimising the fallout from data breaches.