How much do you understand about your obligations when it comes to General Data Protection Regulations – GDPR? This article will aim to help you understand your responsibilities better with some extra knowledge provided to you by Karen Holden from A City Law Firm.
The General Data Protection Regulations (GDPR) is the toughest privacy and security law in the world, imposing obligations on companies anywhere, who target, collect or process personal data pertaining to individuals living in the EU. The regulations apply equally to start-ups as to large multi-national companies.
The Regulations give individuals control over their personal data by holding companies liable for how they handle and treat this information by mandating that personal data must be protected against “unauthorised or unlawful processing, and against accidental loss, destruction or damage.” The regulations apply regardless of the method used to collect the personal data, including data collected by methods other than website or internet tools. The rules and processes are further enhanced if passing this data between jurisdictions too.
The GDPR Data Protection changes came in 2018 and the UK has continued to follow the legislation post Brexit. Press coverage of hacking, GDPR breaches and penalties continue to keep the regulations in the minds of business owners.
What can you/can’t do?
Under GDPR, businesses cannot legally process any individual’s personally identifiable information unless they meet one of the conditions below:
- Consent has been obtained from the individual to process their personal data for a specific purpose. Information about consent should be clear and obvious.
Otherwise you must rely on a legitimate interest:
- The processing is necessary for a contract between the business and the individual, or the individual has asked the business to take specific steps before entering into a contract.
- The processing is necessary for the business to comply with the law such as HMRC tax.
- The processing is necessary to protect someone’s life.
- The processing is necessary for the business to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law.
- The processing is necessary for the business’ legitimate interests or legitimate interests of a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
When should I report a breach?
The GDPR places an obligation on the data controller to report personal data breaches to the relevant supervisory authority within 72 hours of the breach. If the data controller does not notify, within time, they must provide a reason for the delay. The breach notification should describe the nature and type of data breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the data controller must also inform those individuals without undue delay. The data controller must keep a record of any personal data breaches. The thought of reporting your own business is difficult, especially if you can resolve matters, but this protects you from later fall-out and a designated person overseeing this and clear policies makes this a step by step must do without the need to ponder the decision.
If a former or current staff member has taken personal data or breached GDPR policies this will ultimately be a dismissal offence, but sadly as an employer you may and will likely need to report this breach to the ICO. How you follow the process and remedy this will be taken into account so have a set of policies that are practical and possible to follow; monitor this carefully and restrict access to data to those only that need it – caution, calculation and enforcement will place you in good stead.
Let’s think about the implications of non-compliance
Many used to think the rules impacted only on large corporates, but slowly we have seen other companies being scrutinised. As a result many businesses have been reviewing and enhancing their polices and processes. 2022-2023 is likely to give rise to more data privacy laws and will see increased enforcement and greater penalties for GDPR breaches as this is now an area under much public scrutiny. The consequences of non-compliance with the GDPR can be quite severe. The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover (whichever is greater). The EU GDPR sets a maximum fine of €20 million or 4% of annual global turnover (whichever is greater). The Information Commissioner’s Office does appear though to consider your actions, how you have sought to consider and follow the rules and how you reacted, so having policies and plans and following these can assist should a breach occur.
As such GDPR infringements don’t always lead to data protection fines. Supervisory authorities can take a range of other actions, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
The Information Commissioner’s Office has an excellent website for SMEs with helpful advice to help you understand how you can protect your own data and make sure that your own business complies with the regulations, including a guide to all the key terms used.
*We strive to do our best when supporting small business and their growth. Our business databases can give you information and data that can help you with advertising, market research, company information, and industry factsheets. If you have already taken the plunge, we would love for you to join us at a seminar, our workshops cover digital marketing, business model canvas and planning, demystifying taxes and intellectual property to name a few. Visit our events page or website for more information.