Adviser spoke to Jon Bloor , Corporate Commercial Partner at Ellisons Solicitors, to discuss the upcoming General Data Protection Regulations and how they will effect businesses of all shapes and sizes.
In practice this may be a difficult decision to make, and I suspect that organisations may choose to err on the side of safety and notify the ICO rather than running the risk of being accused of having failed to notify them at a later date. However, for breaches which don’t meet this threshold there is no automatic requirement to notify. If someone thinks they may be affected by GDPR where can they find further information? The best starting point is the ICO’s website (https://ico.org.uk/), which has a great selection of resources on the GDPR, including a “myth busting” blog addressing some of the misapprehensions which have grown up about the GDPR. To find out more about the legal services available to you and for more information on getting prepared for GDPR you can contact how Jon Bloor at Ellisons solicitors on 01473 556900 or email jon.bloor@ellisonssolicitors.com
It’s also worth noting that you have to provide a straightforward method for withdrawal of consent. In some cases this may require changes to websites, customer contracts and business processes. So, does that mean that businesses will need to get specific consent to process any personal data? No, there are a number of other ways in which data can be lawfully processed under the GDPR and some of these may be considerably easier than relying on consent. For example, processing will be lawful if it is necessary for the performance of a contract with the data subject. This would cover the processing of personal data by an online retailer to fulfil orders placed by a customer. However, you still need to bear in mind the other requirements of the GDPR, in particular that the data processed should be limited to what is necessary for the relevant purpose and not retained for longer than is necessary. So if an online purchase was being made, the retailer would need to make sure that unnecessary data was not collected (for example, date of birth where this wasn’t relevant to the transaction) and that their policies on how long the data should be retained for were carefully considered and documented.
Where a business is only a “data processor” presumably they won’t have to worry too much? Unfortunately this is not the case. The distinction between the data controller (who has the main responsibility and liability for the processing of personal data) and the data processor who simply processes the data according to their instructions will still be relevant. However, data processors are subject to specific obligations under the GDPR (for example, to process data in accordance with the instructions of the data controller and restrictions on sub-contracting). If a data breach arises because the processor fails to comply with these obligations of the GDPR then it may be directly liable for financial penalties. Many businesses have these “processor / controller” contracts in place and it is likely that these will need to be reviewed before the GDPR comes into force. What happens if a business breaches the GDPR? Do they have to notify the Information Commissioner’s Office (ICO)? From a GDPR perspective you will only be required to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals (for example loss of confidentiality). Where there is a “high risk” you may also be required to notify the individuals concerned directly.
Does that mean that all business will have to go through their databases and get fresh consent for all marketing communications? Unfortunately in some cases the answer to this could be “yes”. Where you rely on consent of the data subject for processing of their data the GDPR requirement is that must be a freely given, specific, informed and unambiguous and based on some clear affirmative action (i.e. an opt-in). In particular, consent can’t be granted by silence, pre-filled boxes or inactivity or in a general set of terms of conditions accepted by the user. You will need to be able to provide evidence of how and when consent was obtained. The GDPR doesn’t automatically require businesses to obtain fresh consents, but if you can’t produce evidence that the individuals on your mailing list have given consent which meets the above requirements then you may need to obtain fresh consents in order to continue processing their data for marketing purposes.
What happens if businesses in the UK don’t comply with GDPR? Will they be faced with fines? The headline position, which has been heavily reported, is that the most serious breaches of the GDPR could give rise to a fine of either up to 40% of your annual turnover or up to €20,000,000, whichever is higher. However, it’s worth bearing in mind that the largest fine issued by the Information Commissioner under the existing legislation is already £350,000, so the consequences for businesses of not taking their data protection obligations seriously can already be severe. The Information Commissioners Office (ICO) have already stated that they will take a “proportionate” approach to enforcement under the GDPR, and it’s unlikely that a business which was making genuine efforts to comply with its GDPR obligations would be hit with fines of this scale.
What is GDPR and when will it happen? The new General Data Protection Regulation (GDPR) comes into force on 25 May 2018, which leaves only a few months for businesses to prepare. Larger corporations and public authorities are already taking GDPR seriously; at the time of writing there were well over 1,000 advertised roles across the UK for new Data Protection Officers. For owner-managed businesses and SMEs the picture is rather different. Most clients we talk to are aware that the new regulations are coming in next year, but have not necessarily taken all of the necessary steps to prepare.
8 | S C R U T T O N B L A N D | L E G I S L A T I O N
L E G I S L A T I O N | S C R U T T O N B L A N D | 9
Made with FlippingBook HTML5