This year, there have been few political or legal developments that have dominated headlines as much as Brexit. If there is one topic that has come even close, it is the introduction of the EU General Data Protection Regulation (GDPR). The GDPR has far-reaching consequences for data handling and collection across all businesses, and the penalties for disregarding your obligations can be severe.
In this article, Anna Sivula, Solicitor in AMD's Commercial team, considers what the GDPR has meant for businesses and what steps you can take to ensure your business stays compliant.
Overview of the GDPR
The GDPR came into force across the EU on 25 May 2018. Put simply, the GDPR gives individuals more control of what information businesses can collect about them and, importantly, what businesses can do with that information.
Previous legislation struggled to keep pace with the growth of e-commerce and globalisation. The GDPR aims to “harmonise” data privacy laws across the EU, which means all EU Member States (including the UK while it is still an EU Member State) follow the same rules. The Regulation is directly effective in all Member States and individual Member States do not have to pass national laws to make the EU rules applicable in that Member State. This makes data protection laws far easier to understand and enforce across the EU.
On the other hand, the potential penalties for businesses who disregard their data protection obligations are more severe than ever before.
Broadly speaking, the type of data protected by the GDPR is any information relating to an individual which can be used to identify that person, either on its own or when put together with other information. It includes traditional identifiers like name, age and location, and online identifiers such as username, IP address and cookie identifiers.
There will be circumstances where it remains uncertain whether particular data is personal data but, as a general rule, the definition should be construed as widely as possible. The Information Commissioner’s Office (ICO) takes the view that if it is unclear whether information is personal data then, as a matter of good practice, you should still treat the information collected as though it is personal data.
Basic principles of the GDPR
The GDPR establishes basic principles which must be adhered to by businesses operating in EU member states or engaging with customers based there. The basic principles are:
Lawfulness, fairness and transparency – You must have valid grounds for collecting and using personal data and must use it fairly. You must also be transparent about your processing activities. It is good practice to have data protection policies in place so you can provide clear information about your processing activities and privacy safeguards to customers, suppliers and employees whose data you collect.
Purpose limitation – You must be clear about why you’re collecting the data from the start and you should tell the individuals whose information you collect about those purposes. You should never process information for purposes that are not in line with the original purposes that you collected data for. If you plan to use the information for additional purposes, you should always check that the new purpose is compatible with the original purposes and if it is not, you must obtain specific consent from the individuals before you process their information for a new purpose.
Data minimisation – You should only collect data which is adequate to properly fulfil your stated purpose, relevant to the purpose and limited to what is necessary for the stated purpose. You should not hold more information than you need for the purposes you collected the information for.
Accuracy – You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact. You may need to keep personal data updated although this depends on what purposes you need it for. If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
Storage limitation – You should only keep data for as long as you need it for your stated purposes. You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data. You should periodically review the data you hold, and either erase or anonymise it when you do not need it for the purposes you collected it for. It is good practice to have a data protection policy in place setting out information about retention periods. You must also tell individuals of their right to request erasure of their information at any time.
Integrity and confidentiality – You must ensure that you have appropriate security measures in place to protect the personal data you hold – this makes sense as the ‘integrity and confidentiality’ principle is also known as the security principle.
Accountability – The GDPR requires you to take responsibility for the data you hold, what you do with it and what steps you take to ensure you comply with the other principles.
GDPR in the UK
As stated above, the GDPR has direct effect in all Member States including the UK, at least for so long as we are still a member of the EU. The GDPR, together with the supporting UK Data Protection Act 2018, replace the previous data protection legislation including the Data Protection Act 1998. The government has clarified that the GDPR will be automatically transposed into domestic law and will therefore in effect not be affected by Brexit – it will continue to apply, even if some amendments may need to be made.
Any changes to the GDPR would have to be carefully evaluated in case they were capable of adversely affecting the UK's prospects of securing a formal adequacy decision from the European Commission for its domestic data protection law. An adequacy decision permits a cross-border data transfer outside the EU or onward transfer from or to a party outside the EU without specific authorisation from a national supervisory authority. If the UK deviates too far from the GDPR standard, it may fail to secure an adequacy decision in which case data flows between the UK and EU may be disrupted.
What if there is a data breach?
A personal data breach does not only mean the loss or theft of personal data although they would certainly count as breaches. A data breach can be any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It does not matter if a breach is accidental – the GDPR covers breaches that are the result of both accidental and deliberate causes. Personal data breaches can include situations where personal data is accessed by an unauthorised third party (eg through a hacking incident), where you send personal data to an incorrect recipient, where you lose computing devices containing personal data or where it is stolen or where the personal data is lost or becomes unavailable temporarily or permanently (eg where it has been encrypted by ransomware).
If there is a personal data breach, you have a duty to report the breach to the ICO in certain circumstances. This should be done within 72 hours of when you become aware of the breach. You may also need to notify the individuals affected by the breach if there is a high risk of there being an adverse effect to the rights and freedoms of those individuals. If that is the case, you must notify the individuals without undue delay. In any event, you must keep a record of any personal data breaches, regardless of whether you are required to notify the breach.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
Consequences of non-compliance
As mentioned above, the penalties for failing to comply with these obligations can be very serious. Consumers have a reasonable expectation that businesses take care of the personal information they collect and that the information is processed only for the purposes it was collected for. The law now better reflects this expectation and businesses risk severe penalties if they fail to comply.
For less egregious breaches, you can be fined up to the greater of:
- 10 million Euros; or
- 2% of the firm’s global turnover.
More serious offences can incur fines up to the greater of:
- 20 million Euros; or
- 4% of the firm’s global turnover.
Unsurprisingly, these fines have attracted controversy because of the impact they could have on SMEs. It may be reassuring to bear in mind that these fines are worst-case scenarios and the ICO will consider mitigating factors such as the severity of the breach and a company’s efforts to comply with the GDPR. The Information Commissioner, Elizabeth Denham, has also published a blog post reminding businesses that the GDPR gives it a suite of sanctions to help organisations comply, including warnings, reprimands and corrective orders, and that issuing fines will remain the last resort. Financial penalties should not be the only concern businesses have, however, and non-compliance comes with a risk of severe reputational damage as businesses who do not take steps to protect personal data may quickly lose the trust of their customers.
Who has been in breach of GDPR so far?
The ICO has stated that it would take 8-9 months for reports of breaches to be investigated and, therefore, no formal penalties have been imposed by the ICO under the GDPR just yet. The ICO will publish all the enforcement action they undertake on their website so you can keep up to date with enforcement cases as they develop.
The GDPR affects businesses of all sizes and the details of the regulation are complex. For further advice and assistance, please do not hesitate to contact our experienced commercial solicitors in Bristol. Give us a call today on 0117 973 3989 or fill out a contact form and we will get in touch as soon as we can.