Digesting data protection in the UK

  • Posted

Following the implementation of GDPR, smaller businesses, particularly with suppliers, customers and users in the EU, need to pay much closer attention to compliance. Even smaller companies that may not expect to be on the ICO’s radar, may well find that customers, business partners and investors expect them to demonstrate their compliance.

What do smaller businesses need to be aware of? We look at:

Data protection law – a quick recap of the changes

The Data Protection Act 1998 governs the use of personal information by businesses and other organisations. Anyone who processes personal information must comply with the eight principles, which include being clear on the purpose for processing, record-keeping, upholding individuals’ rights and importantly, data security. Since 2010, the ICO has had the power to issue monetary penalties up to a maximum of £500,000 for serious breaches. Companies with low turnovers are not exempt.

The GDPR has direct effect across all EU member states and businesses will continue to be bound by its principles and obligations under UK law after Brexit.
So what has changed after GDPR?

GDPR introduces the concept of “data protection by design and by default”. This requires organisations to set up their processes, policies, systems and services around compliance requirements. It is an attempt to move away from ‘tick box’ compliance (such as having a standard privacy policy and some standard consent buttons on the website) to a more rigorous approach safeguarding privacy interests of consumers, patients, employees and other individuals. Naturally, this is more of a concern for organisations that deal with large volumes of personal data or whose activities are focused on collection, hosting or analysis of personal data – but it raises the bar for compliance across the board.

Data subject rights have proliferated and a full spectrum of reporting obligations introduced. However, what most businesses will be concerned about are the new monetary penalties, leaving organisations in serious breach with potential fines of the higher of 20 million Euros or 4% of annual global turnover. Not to be overlooked is the aggravation and bad publicity which arises under the process.

Brexit – will it all change again?

In short, current obligations will remain in place so practically there will be little change.

But if you receive data from an organisation in the EEA, the sender will need to comply with the EU regime and apply adequate safeguards. If the EU makes a formal adequacy decision before Brexit, there will be no need for specific safeguards.

Can we still transfer data to and from Europe if we leave without a deal?

The government has said that transfer of data from the UK to the EEA will not be restricted. However, if there is no Brexit deal, GDPR transfer rules will apply to any data coming from the EEA into the UK so you will need to consider what safeguards to put in place to ensure that data can continue to flow.

Steps even small business should take

If you haven’t done so already, you urgently need to review your data protection policy, security and procedures for responding to data breaches. We outline the minimum steps every business should take, no matter how small their turnover.

Privacy policies

These need to be updated and publicly available on your website. A privacy policy is a public statement of how your organisation applies GDPR’s data protection principles to processing data. It should be clear and concise and easily accessible.

As well as making your privacy policy available on your website, you also need to make it clear how data will be used and by whom (no pre-ticked boxes) and make it easy to unsubscribe from marketing at any time.

Data protection compliance officer

A Data Protection Officer is tasked with monitoring compliance with data protection law, training employees and handling complaints.

The requirements to appoint a data protection compliance officer and to complete a formal processing impact assessment are imposed on organisations engaged in “high risk” activities or which process special categories of personal data (such as health records) or engage in significant profiling or monitoring of individuals.

For many smaller businesses it may not be necessary to appoint a DPO. However, with the number of complaints from consumers received by the ICO on the rise, it may be worth appointing a DPO to stay on top of your data compliance and minimise the risk of fines.

You must publish contact details for your DPO on your organisation’s website, make them easily accessible to your employees and communicate them to the ICO.

Record Keeping

In order to comply with GDPR all businesses and self-employed individuals should keep accurate and up-to-date records.

Due diligence includes mapping any data flows, identifying the data security structures and defining access rights and authorisations etc. This basically comes down to carrying out something similar to a smaller scale impact assessment.

Security

This is one of the key operational requirements of the law. This applies not only to the technical security measures that an organisation has to put in place to secure personal data it stores but also the organisational measures – access rights, access controls, authorisation levels, dissemination and access policies, monitoring, audits, training of staff etc. Do you know who has access to information within your organisation?

Data Processing agreements

These are required in any case where an organisation allows another organisation to access, store or use personal data records. Cloud computing providers, IT system services and support providers, data analysis services and other third parties that may have access to your consumer or employee data have to sign data processing agreements that comply with the requirements of GDPR.

Check that you have obtained adequate consent from data subjects. Failure to obtain correct consents and implement adequate data processing agreements will likely result in a call from the ICO. It is not worth risking a business-crippling fine.

Why invest in data protection?

There is a pattern emerging not only with the ICO, but other regulatory bodies such as the FCA. Rather than wait for a breach and then face penalties, regulators are looking for companies to take pro-active and positive steps to ensure compliance.

As GDPR sets a high standard, meeting its requirements will go a long way towards compliance with the privacy laws of almost any other country so it is worth taking the time to make your business compliant.

Many smaller businesses do not invest in becoming GDPR-compliant. The risks of not taking any action are only too clear in the ICO’s list of recent fines and the increasing number of larger companies succumbing to insolvency as a result of data breaches.

How we can help

Many of the compliance tasks can be undertaken primarily by your organisation internally. Carrying out the due diligence, documenting processes and systems, putting in place control systems, authorisation levels etc. and writing and compiling policy papers and records as required by the legislation are tasks that will require access to operational personnel information and would be time consuming.

We can assist with:

  • providing guidance;
  • reviewing and commenting on operational documentation such as data retention policies, IT security policies, data sharing and access rights policies;
  • drafting or amending legal documentation such as the privacy policy statements, standard data processing agreements and data export agreements;
  • communicating with regulators (for example, if there is an audit, investigation or a complaint against the business or an individual); and
  • addressing data subject access requests, including what you do and don’t need to disclose.

We can also help with handling complaints, responding to contact from the ICO, and minimising the fallout from data breaches.

Whether you are only just getting around to sorting out your compliance or you don’t know what information you need to disclose in a subject access request we can assist. With reported data breaches on the rise the risk of an ICO penalty is higher. Please do call us to discuss any data protection concerns for your business on 0207 438 1060.