In practice this may be a difficult decision to make, and I suspect that organisations may choose to err on the side of safety and notify the ICO rather than running the risk of being accused of having failed to notify them at a later date. However, for breaches which don’t meet this threshold there is no automatic requirement to notify. If someone thinks they may be affected by GDPR where can they find further information? The best starting point is the ICO’s website (https://ico.org.uk/), which has a great selection of resources on the GDPR, including a “myth busting” blog addressing some of the misapprehensions which have grown up about the GDPR. To find out more about the legal services available to you and for more information on getting prepared for GDPR you can contact how Jon Bloor at Ellisons solicitors on 01473 556900 or email jon.bloor@ellisonssolicitors.com
It’s also worth noting that you have to provide a straightforward method for withdrawal of consent. In some cases this may require changes to websites, customer contracts and business processes. So, does that mean that businesses will need to get specific consent to process any personal data? No, there are a number of other ways in which data can be lawfully processed under the GDPR and some of these may be considerably easier than relying on consent. For example, processing will be lawful if it is necessary for the performance of a contract with the data subject. This would cover the processing of personal data by an online retailer to fulfil orders placed by a customer. However, you still need to bear in mind the other requirements of the GDPR, in particular that the data processed should be limited to what is necessary for the relevant purpose and not retained for longer than is necessary. So if an online purchase was being made, the retailer would need to make sure that unnecessary data was not collected (for example, date of birth where this wasn’t relevant to the transaction) and that their policies on how long the data should be retained for were carefully considered and documented.
Where a business is only a “data processor” presumably they won’t have to worry too much? Unfortunately this is not the case. The distinction between the data controller (who has the main responsibility and liability for the processing of personal data) and the data processor who simply processes the data according to their instructions will still be relevant. However, data processors are subject to specific obligations under the GDPR (for example, to process data in accordance with the instructions of the data controller and restrictions on sub-contracting). If a data breach arises because the processor fails to comply with these obligations of the GDPR then it may be directly liable for financial penalties. Many businesses have these “processor / controller” contracts in place and it is likely that these will need to be reviewed before the GDPR comes into force. What happens if a business breaches the GDPR? Do they have to notify the Information Commissioner’s Office (ICO)? From a GDPR perspective you will only be required to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals (for example loss of confidentiality). Where there is a “high risk” you may also be required to notify the individuals concerned directly.
L E G I S L A T I O N | S C R U T T O N B L A N D | 9
Made with FlippingBook flipbook maker