Business answers about compliance for the General Data Protection Regulations (GDPR)
The deadline for the GDPR is less than 2 months away. On the 25 May 2018 compliance for the new regulations will be expected from all businesses. The ICO is providing regular updates on its website to help businesses. However, whilst many companies are preparing for this, there are still some common concerns that we are hearing.
In this article, we are responding to some of the common concerns businesses have about personal data, questions about the need for a Data Protection Officer as well as understanding the potential liabilities and fines they can face.
What is personal data?
Understandably, many business owners and directors are concerned about the data they are holding. What constitutes as personal data? What is the responsibility of the business?
Firstly, businesses need to understand where the GDPR regulations apply. There are two types of data owners:
- The business which determines the purpose of the data and the way that it is processed by the business is the data controller e.g. the company
- The business that processes the personal data for the data controller is the data processor e.g. payroll companies, accountants and market research companies e.g. Payroll, accountants, Cloud providers
As the data controller of your company data, you have a responsibility to protect your data, particularly personal data and sensitive personal data. This isn’t just for your clients, this is also for your employees, suppliers and prospects. Essentially, any personal data your business is holding. So what is personal data?
Personal data is information relating to an identifiable person. The data can be used to directly or indirectly identify an individual. The types of data that we are referring to here is names, identification number, location information and online identifier data. As far as how you collect the data; the regulation covers both automated collection e.g. completing a form on your website and manual collection e.g. sending out a questionnaire and collating the data returned.
This also includes opinions about the individual and a good example of this from the ICO is:
A manager’s assessment or opinion of an employee’s performance during their initial probationary period will, if held as data, be personal data about that individual. Similarly, if a manager notes that an employee must do remedial training, that note will, if held as data, be personal data.
You also need to be aware that personal data also includes data that has been pseudonymised such as a key code for access to your building as you are linking a code to a named individual.
Then you have sensitive personal data which covers aspects such as the individuals racial or ethnic origin, their political opinions, religious beliefs, trade union activities, physical or mental health. Basically including anything that is deemed genetic or biometric which can uniquely identify the individual.
Do I need to have a dedicated Data Protection Officer?
This is a question we are regularly asked, and a simple answer is that the vast majority of businesses do not need a dedicated Data Protection Officer. The ICO states that only if you are a public authority or if you carry out certain types of processing activities, that you should have one in place.
However, what all businesses need to show is that your organisation is taking compliance seriously and to make sure that you are continually managing this within your business. As a business owner, you do need to make sure that your organisation has sufficient employees and resources to meet your obligations under the GDPR. A good starting point is to agree a person who will take responsibility as the accountable manager. This person is the ultimate owner of GDPR compliance for the business and should have full support of the board/senior management team.
An accountable manager will ensure a best practice approach is followed by the organisation and if a data breach is suffered by the business, that the correct process is followed to report and manage the breach. This isn’t just about implementing processes and procedures for the 25 May 2018, this is about changing the way you collect, manage and dispose of data as a continuous improvement and management programme.
GDPR penalties – am I going to be fined 2% of my global turnover?
The governing bodies have introduced penalties for not meeting the regulatory requirements, especially if the result is a breach of your data. The fines are for the non-compliance of the regulation, not the suffering a breach (although suffering a breach as a result of non-compliance will be taken seriously).
There are two levels of fines that can be administered:
- Up to €10million, or 2% annual global turnover – whichever is higher
- Up to €20million, or 4% annual global turnover – whichever is higher
The fines are substantial for this because the ICO wants this regulation to be taken seriously. However, what the regulation is trying to achieve is that all companies process data lawfully, fairly and in a transparent manner in relation to individuals – not too much to ask really.
If you consider this aim, then you can also take the logical approach that we believe the ICO is trying to take:
- The highest level of fines are for the companies who ignore compliance and at the point that the ICO is notified of this is because of a resultant data breach.
- If a company implements processes and procedures to protect data in line with the regulation and follows these but still suffers a breach, the company is likely to see a lesser penalty.
The key ‘take away’ from this article, is to make sure you are prepared for the 25 May 2018. Whilst the date is coming round quickly, there is still time to get ready and make the necessary changes within your business and train employees.
For those of you who are interested, we are running a free lunchtime webinar on Thursday 12 April on preparing for the regulation with just 2 months to go.
Our GDPR webinar has passed. However, if you would like to see a copy of this, please contact us on the details below and we will share a recorded version with you.
Alternatively, if you would like to speak to one of our GDPR Consultants about preparation for this regulation, please contact us on 020 7877 0060.