Working with Data Protection - Part 1
The second anniversary of the GDPR is upon us – 25th May 2020.
In September 2019, a survey of UK GDPR decision-makers (conducted on behalf of Egress) found that 52% of businesses are not fully compliant with GDPR.
This represents millions of UK businesses. It appears strange that this number is so high and that so many businesses have not taken steps to become compliant in this particularly important area. It is a weird risk to take as the fines and penalties are sizeable and are regularly being dished out by the authorities.
DLA Piper researched that there have been 200 GDPR fines throughout the EU with Google Inc being fined the highest (France – 50 million euros) and a hospital (Hungary – 90 euros) the lowest. Germany has seen two fines totalling 24 million euros.
Larger companies may have a Data Protection Officer on payroll with a generous budget to implement data protection system changes to achieve compliance but what can the rest of the market do?
If your business is processing personal data, (even if it is only your employees), you need to take steps to comply with GDPR.
Let us have a look at the key principles required and how to achieve compliance.
The overriding obligation for any business (regardless of size) is to demonstrate compliance with the Data Protection Principles of the GDPR, as well as to show that compliance is being adhered to.
The GDPR sets out seven principles for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure, or destruction of personal data.
Broadly, the seven principles are;
1. Personal Data shall be processed transparently, fairly, and lawfully
Your data needs to be processed fairly and openly with appropriate reviews to make sure this is happening. Transparency should include telling the individual whose data you have how the data is going to be used and how they can access that information.
2. Purpose Limitation
The data obtained and processed should only be used in relation to the initial specified purpose which has been clearly spelt out. You should never collect any information which you do not need or will never use, or indeed any data which is superfluous or irrelevant.
3. Data Minimisation
Do not collect data which you have no immediate need of. You should only collect the bare minimum of data for the required use.
4. Accuracy and Keeping up to date
It is important to make sure that the data you hold is accurate and up to date. Any data which is old or wrong should be delated/erased as soon as possible with a note confirming what you have done.
5. Storage Limitation
The data you store should not be kept for any longer than necessary. This is quite obvious and requires reviews every now and again. Once data isn’t required it should be deleted with an explanatory note.
6. Integrity and Confidentiality
All required steps must be taken to protect the data you store. You must guard against loss, unauthorised accessing, damage, destruction, or any other scenario where the rights of the individual whose data you have may be compromised. So – individuals who handle the data must be trustworthy and systems must be safe and secure.
This accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.
Why are these so important?
Clearly these are not precisely written and are designed to encourage data controllers/businesses to engage in the required spirit.
They are based on common sense and what an individual might reasonably expect.
Failure to comply with the principles can result in the substantial fines mentioned at the start of this paper. Infringements of the basic principles for processing personal data can be subject to fines of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.
How to check the compliance of your business
Some of the following suggestions will depend on the size of your organisation. Being small however, is not a defence against non-compliance. Here are some ideas.
Risk Assessment – carry out a risk assessment across your entire business on the processing of personal data. Identify and record any weaknesses and devise a plan to improve those areas.
Data Protection Impact Assessment (DPIA) – this is a new GDPR requirement where you need to assess the impact of any new system or ideas when collecting data. Put this in writing.
Keep a Data Processing Register – eg a formal list of employees’ or customer data in one place which can then be kept secure.
Keep a Data Breach Register – if you do happen to discover any breach or poor practice, record the information behind it and what caused it together with measures taken and steps to improve that area. Breaches have to be notified to the Information Commissioner within 72 hours of discovering the breach.
Training & Awareness – let you HR and business team have some understanding of their obligations as key people in this area. It is worthwhile considering some on-line training.
Check all your suppliers - If your suppliers or business partners are handling your data e.g. your customer data, perform regular inspections to make sure that they are equally compliant. You might be responsible for not securing your customers’ data in the hands of a third party you contracted with.
19th May 2020
How GDPR compliant are you?