In May 2016 the EU passed new laws on data protection, called the General Data Protection Regulation (GDPR), that means new processes will have to be put in place for any business that processes data. It is an EU-wide Regulation and replaces all previous Data Protection Laws in every EU Member State. The main Supervisory Authority in the UK will be the Information Commissioner’s Office (ICO) and they have stated that even though the UK will be leaving the EU in the coming years, the UK will fully implement the GDPR so that we can seamlessly continue to trade with the EU.
Companies have until May 2018 to ensure they can comply with these regulations. If companies don’t comply then they can be fined up to 4% of global turnover or £20m, whichever is greater.
The prevalence of cyber attacks these days a personal data breach is highly likely, it is estimated that 80% of all companies have suffered some form of cyber attack. However it should be noted that personal data breaches are not always the result of a cyber attack. Often it is employees who unwittingly, or maliciously, send personal data to an unauthorised recipient or lose a device holding personal data (smart phone, laptop, USB stick, mass data storage system), or alternatively it is the organisation’s processes or IT systems that allow unauthorised access to personal data. Therefore companies need to ensure that they are compliant with these regulations.
The GDPR puts much more emphasis on organisations that process personal data to protect the “rights, freedoms and interests” of Data Subjects. Also the burden of proving compliance has shifted from the Data Subject to the Data Controller (company / organisation). In practice this means being able to demonstrate the legal basis for processing personal data, to document processing activities, to have conducted a risk assessment (Data Processing Impact Assessment) whenever new processing activities take place using new methods or technologies and to report any Personal Data Breaches to the Supervisory Authority within 72 hours.
Moreover the contractual basis for processing personal data has to be clearer to the Data Subjects and the contracts between Data Controllers and Data Processors have to have explicit clauses on when and how personal data is to be processed.
The Information Commissioner’s Office (ICO) will be the primary Supervisory Authority in the UK. However in some industry sectors, the current regulators will also have a role to play; for example in Financial Services Sector, the FCA will be influential. Under the GDPR, the ICO will have greater powers to investigate reports of non-compliance and also they have greater scope for imposing operational sanctions, including preventing organisations from any future personal data processing until full compliance is proven and financial penalties; up to 4% of global turnover or Eur20m, whichever is greater.
In essence, this new law obliges organisations to maintain detailed records regarding the collection, legal basis, processing and storage of all personal data.
Risks of Non-Compliance to Companies
If the Supervisory Authority decides that all data processing must cease until it is compliant with the GDPR, then this could mean your normal activities will have to stop. If your customers cannot access your products and services then you’ll have to stop trading.
There are severe penalties for non-compliance; 4% of global turnover or €20m, whichever is the larger. In addition to these fines will be the cost of legal advice, the cost of rectification (consultants etc.), any compensation payable to customers who have suffered damage or distress, and the potential loss of revenues from customers leaving and/or new customers not joining. Further hidden costs are the amount of management time that will need to be devoted to getting any processing restrictions removed, managing the recovery team and dealing with customer complaints and enquiries.
The loss of trust between the company and its customers could be the major factor in determining the future viability of the company. Just think of the images that brands like TalkTalk, BP and News of the World conjure up. Any corrective order issued by the ICO will be a matter of public record and might become be next case study.
Increased Scrutiny from the ICO and Media
The consequences of a personal data breach mean that not only will the ICO, and other regulators, be taking a keening interest in the activities of your organisation, but so will the media. Unfortunately, the media will then forever want to refer back to the incident whenever articles are written about your organisation.
Management Time Lost
Should there a personal data breach there will be a huge amount of remedial work required to put the situation right. This will require the senior management team devoting considerable time and resources, which could be used more productively in the core business.