Regarding the new GDPR rules which are proving complicated and I’m unsure as to whether my business is now compliant, is my business at risk if I’m found not to be?
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 replacing the Data Protection Act 1998 in the UK, placing greater obligations on how organisations of all sizes handle personal data within the European Union.
Despite the extensive media coverage about the GDPR, it is apparent that not all businesses have been able to understand its requirements on their business. The Federation of Small Businesses launched a GDPR awareness campaign early this year after revealing that just 8% of the UK’s smallest firms are prepared for the new EU privacy regulation and estimated that it will cost small businesses on average around £1000 to achieve GDPR compliance.
As a general guide, to comply with the GDPR as a business, you must ensure that personal data must be:-
- processed fairly, lawfully and transparently;
- collected and processed only for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary for the purposes for which it is processed;
- accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
- kept for no longer than is necessary for the purposes for which it is processed;
- processed securely.
Personal data means information which relates to a living person who can be identified from that data on its own, or when taken together with other information which is likely to come into your possession. It includes any expression of opinion about the person and an indication of the intentions of you or others, in respect of that person. It does not include anonymised data. An example of Personal Data would be the information contained in an employee or candidate’s CV.
What do I have to do practically speaking?
It is not clear what steps you have taken to ensure your business is compliant with the GDPR. Most businesses carry out a Data Audit and put in place a Privacy Notice for their commercial contacts and customers on their website together with a Privacy Notice for the people working for the business.
If you are not sure if your business is compliant you can contact the Information Commissioner’s Office (ICO) for general guidance on the steps you should have taken or take specialist independent legal advice.
If you are not compliant what could happen ?
The ICO is the regulator in the UK for the GDPR and it can take action where it considers it necessary to change the behaviour of organisations and individuals that collect, use and keep personal information. There are a number of tools available to the ICO which include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller, which in most cases would be the business.
In terms of financial penalties, there are two tiers, the higher maximum and the standard maximum.
The higher maximum amount, is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher and can apply to any failure to comply with any of the data protection principles, any rights an individual may have in relation to any transfers of data to third countries.
If there is an infringement of other provisions, such as administrative requirements of the GDPR, the standard maximum amount will apply, which is 10 million Euros (or equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
Apart from financial penalties, you need to consider the damage to your business reputation if the ICO take action against you or your business and also that Directors can be found personally liable if a breach takes place with their consent, connivance or attributable to their neglect.
The ICO has made it clear that there will be no ‘grace’ period for businesses from 25th May and during the first 3 months of 2018 it has taken action against 23 individuals or organisations, so I would recommend acting quickly to ensure your business is GDPR compliant.
If you need any further advice please contact the GDPR team at Thackray Williams LLP