Getting ready for forthcoming data regulation
Arecent survey revealed one in four UK businesses has shelved plans to prepare for the introduction of General Data Protection Regulation (GDPR), which comes in to force in May 2018. The GDPR is an EU regulation aimed at harmonising the use and transfer of data across European member states and giving individual citizens more control over the data businesses and public bodies hold on them.
As a specialist in information law, I see GDPR as evolution rather than revolution. In many areas, it is taking current recommended best practice and making it a mandatory legal requirement, modernising 20th century laws failing to grapple with 21st issues surrounding information technology and the storage and use of often highly sensitive personal data.
Alarmingly, the reason given in the survey for this rather “risk-based” approach by some businesses to GDPR was because they believe it will not apply post-brexit. The survey by Crown Records Management also found that while 24 per cent of those questioned were no longer making plans to introduce the regulation, 4 per cent of businesses had not even begun to prepare.
Make no mistake about it, GDPR will come into effect in UK law, at least in the short to medium term, until the UK leaves the EU. Additionally, even post-brexit, to be able to trade with the single market on equal terms, and to maintain the free flow of data crucial to doing business, the UK will have to prove “adequacy”, namely that the UK data protection standards are essentially equivalent to the EU’S GDPR framework.
It’s clear why so many businesses are concerned about the impending May 2018 deadline when comparing the proposed sanctions regime for serious data protection breaches with existing UK penalties imposed by the Information Commissioner’s Office (ICO). Currently, the ICO has the power to fine businesses up to £500,000 but under GDPR it will have the power to impose fines of 4 per cent of global annual turnover or €20 million, whichever is the higher.
Many data-heavy businesses, particularly those in the retail space, or that rely on customer-rich data for targeted marketing or profiling purposes, will find GDPR more of a challenge. Greater transparency on the information held and the purpose of holding that data will be required, and stricter rules on gaining an individual’s consent to hold and use that information will be introduced. Businesses will have to show they adhere to “living and breathing” compliance, not simply that they have a compliance policy that sits on an intranet and is never looked at. Specifically, firms will have to demonstrate how they imple- ment data protection, provide guidance to staff on how to comply with that policy, and check regularly that staff are in fact complying.
However, it is not only the data-heavy businesses that need to be concerned about GDPR. Businesses small and large will be impacted. If your business has not already done so, the first step is to undertake an audit or gap analysis of the data the business actually holds, what it is being used for, and why. This will identify the risks, particularly regarding potential data breaches, whether due to human error, system or technology malfunctions or potential cyber-attack.
Under GDPR, notification of a breach will be mandatory and within a 72-hour timeframe. Businesses should look at measures in place to deal with a data breach and ensure that employees are clear on actions they need to take in reporting an incident. A review of security measures, particularly encryption protocols, should take place.
ICO guidelines for implementing GDPR are in the pipeline but in the meantime, organisations should look to existing ICO guidance, developed with the introduction of GDPR in mind, to identify the gaps in compliance. l Kathryn Wynn is senior associate and specialist in information law at Pinsent Masons
It is not only the data-heavy businesses that need to be concerned