The General Data Protection Regulation (GDPR) will come into effect in the UK from 25 May 2018. This affects all businesses small or large, that holds personal data, and you need to start preparing now.
The government has confirmed that the UK’s decision to leave the EU will not affect its commencement, so you need to understand the requirements and implement the necessary infrastructure in order to ensure full compliance or face the risk of huge fines.
The introduction of the GDPR is designed to set a clear, unambiguous standard for businesses to adhere to when holding personal data, and more importantly allows everyone to understand their rights in respect of information held about them. The GDPR is a reaction to increased use of the internet and sales of personal data affording the ‘data subject’ including individual consumers more control over the usage of their personal data.
The new law will replace the current existing Data Protection Act 1998 (‘DPA’). Your business must have robust policies in place about its use and maintenance of data to afford scrutiny and potential fines.
What are the principal changes under the GDPR?
Businesses should take note that the general framework of the GDPR is similar to that of the DPA. The level of compliance required for an individual organization will mostly depend on the type and volume of data collected. In essence, the more central data collection and processing is to your business, the more compliance is required under GDPR. It also introduces controls over data processors for the first time. They were exempted from existing DPA laws.
You must still afford privacy protection, notification and consent and protect information by secure storage. However, the GDPR places greater emphasis on protecting the individual’s rights. Businesses who collect and process data will now have to justify the legality of it.
What do they mean by ‘Data’?
This can be names and addresses, fingerprints, DNA, recorded calls, date of birth and now also includes pseudo-that can ultimately be traced back to a person. All of this information, held by you, will be covered and protected by the GDPR.
I record calls presently. Can I still do this? How do you show you are doing this legally?
This can be demonstrated by fulfilling any of the following conditions:
- The individual(s) involved in the call has given express consent to the recording;
- The recording is necessary for the fulfilment of a contract or legal requirement;
- The recording is necessary to protect the interests of one or more participants;
- The recording is in the public interest, or necessary for the exercise the official authority;
- The recording is in the legitimate interests of the recorder, unless those interests are overridden by the interest of the participants in the call.
Take, for example, where businesses use call recording ‘for staff quality assurance purposes’. When applying this to the above conditions, it really leaves the business to fulfill condition 1 in order to protect itself from non- compliance. Condition 5 may also apply but in reality, it would be difficult to argue that the legitimate interest of the business to monitor and evaluate customer service would outweigh the interest of personal privacy.
What does this mean in real terms if you want to continue recording calls? Under the DPA, where call recording takes place, the individual must be informed it’s being recorded, told of the purpose and how that information will be processed. Implied consent continuing the call is acceptable & usual practice.
The GDPR changes this and is more stringent as implied or assumed consent will not be acceptable. The GDPR will require that the individual expressly gives consent. Be it recording their verbal consent or having AI in place to terminate the call without an explicit confirmation.
This will create a significant challenge for organisations such as call centres where recording is done automatically by the telephone equipment. They will be required to replace or update their call equipment to ensure that a customer is not disenfranchised from service if they do not want calls recorded.
Another key change is access!!!
You will now have an absolute right to access your information and this will need to be identified, retrieved and a copy provided upon request. So as a business you need to work out how, in reality, you can do this. Furthermore, in the event requested you as a business must irretrievably delete such information, without delay. As such any policy you put in place must be coordinated with your IT and call recording provider to ensure you can satisfy your own policy.
Existing Subject Access Requests allow companies to charge £10 to provide a list of data to be accessed. That sum rises to £50 for medical data. It also allows companies to extend the timescale for providing the data by coming back and asking for more guidance as to what data is required and over what time period. GDPR sets a strict 30-day response for companies and removes all charges for access to data. This can be varied for some sectors with the UK government already issuing exemptions around access to and deletion of data.
Businesses will have to demonstrate compliance with the new rules under the new ‘Principle of Accountability’. It should be carefully noted that the GDPR stresses the importance of including data protections systems at the outset and not merely implemented over time. Do not create a 200 page policy for effect when in reality your staff or providers cannot fulfill the obligations. Have a practical and honest policy that if you’re held to account against you can prove fulfillment.
How can this be done?
Like other areas of business where compliance needs to be demonstrated, policies and protocols will need to be drafted with a system of checks and balances. Staff will need to be trained and made well aware of the new provisions and there will have to be effective implementation and careful management. Organisations will also have a mandatory requirement to inform regulators and data subjects of any breach of data privacy within 72 hours of being detected. Current DPA laws do not require breaches to be notified and for many organisations this timescale will be extremely challenging.
Non-compliance always attracts a level of penalty designed to punish and deter organisations from committing further breaches. Under the DPA, businesses could be fined up to £500,000. Under the GDPR, fines from 2% for minor breaches and up to 4% of the global turnover can be levied for severe breaches. Considering the impact that such fines may have on a business, it is time to act and do it now.
What should lawyers being doing to help you?
At A City Law Firm, we believe that by understanding your business and its operations, as well as the information you really need to collect and process, we can identify the areas which need to be improved, regulated and covered by policy. All policies should be bespoke to you and what can actually be achieved, based on size, costs, suppliers v risk and compliance. Lawyers should not just offer a template document but actual guidance so that you can implement the necessary changes, talk with your providers and ensure you are ready and compliant by the time the GDPR comes into effect.
We give regular workshops on this topic and in particular on dealing with third parties who are essential to your business, business should attend some form of training.
Should you prefer to discuss your business and GDPR requirements with us, we will be pleased to offer a consultation.
Karen Holden is the Managing Director & Founder of A City Law Firm who practise both commercial law and litigation, having been admitted to the roll in 2005. If you require further advice or assistance, please do not hesitate to contact firstname.lastname@example.org
A City Law Firm Limited is a leading entrepreneurial law firm in the city of London, with a dynamic and diverse team of lawyers. It was awarded most innovative law firm, London 2016 and Business Law firm 2017. They specialise in start-up business law, the tech industry, IP and investment