The General Data Protection Regulation (GDPR), will replace the Data Protection Act on 25 May and will affect all businesses, large and small. Speaking at the Movers & Storers Show, James Backhouse from Backhouse Jones Solicitors gave a taste of what the new rules will mean and how businesses must prepare if hefty fines are to be avoided.
Rather worryingly, when asked what GDPR stood for, only one person in the Seminar Theatre audience of around 30 raised a hand. Worrying, because in only six months’ time anyone in business will have to meet stringent new rules on how they gather and use data. If they don’t comply, they’ll face fines amounting to 4% of turnover up to an eyewatering limit of 20 million euros!
Solicitor James Backhouse explained that although the GDPR is a massive EU tome, a great deal of it is likely to remain in force after Brexit. “The GDPR will replace the Data Protection Act but many of the rules within it will remain the same,” said James. “It was introduced to bring things up to date particularly with regard to the Internet, although the Regulation applies equally to paper records, not just those stored electronically,” he said.
James pointed out that the Regulation only applies to data kept about individuals, not companies, so B2B records which do not identify individuals are not substantially affected. “It’s mainly about protecting what is termed the ‘natural person’ their right to privacy and to protect them from unwanted marketing and to ensure personal information is not being held by organisations without their consent. At present the Internet is largely unregulated and the law has been playing catch-up,” said James.
The new GDPR is complex and James recommended visiting the website of the government agency responsible - the Information Commissioner’s Office (ICO) - for more detailed information than he was able to give in a 20-minute presentation. For many uses of personal data individual consent is required. One of the key elements was to make sure the process by which individuals gave consent for their data to be held and used was separate from any contract they were entering into and that it was not a condition of any transaction. It is also a requirement that it must be clear what the individual is signing up to and that they have the right to withdraw that consent at any time with immediate effect. A system must be in place to do this.
“It is likely that more customers will opt not to give consent for their data to be used for marketing purposes, for example,” said James. “But you will be allowed to have more than one tick-box so that people can choose to receive information on certain topics they ae interested in. Pre-ticked boxes will no longer be allowed, and you cannot infer consent by silence.”
Individuals will have the right to see any data organisations hold about them, free of charge and to have records changed or deleted – the right to be forgotten.
“The ICO has considerable powers. They can carryout audits, gain access to premises, issue reprimands, restrict access to data and so on,” said James. “However, in my experience their approach is reasonable, they want people to get it right rather than come in with a big stick. But, if they do impose a penalty it will be substantial and will hit you very hard in the pocket,” said James.
James was keen to emphasise the need to start making preparations now and not to leave it until the last minute to get processes in place. “You must be able to demonstrate that you have robust systems in place to comply with the new Regulation and that you are managing your data properly. Document your procedures, but keep them simple and straightforward, that way they are more likely to be followed,” he said. “Having done that, don’t give the job of managing data to a junior member of staff. It is a big responsibility and should be handled by someone at director or partner level.”
“You must document what data you have, where it came from and if you share it, who you share it with. If you alter a record you must inform the person you shared it with, so you must have a process in place to enable that to happen.”
James concluded his presentation by urging the audience to look seriously at the security they have in place to protect their data. “Make sure your electronic data is encrypted and password protected and that your paper records are held securely in a locked filing cabinet that only authorised people have access to. There are a lot of non-compliant companies out there at the moment, by May 2018 you don’t want to be one of them.”
Photo: James Backhouse at the Seminar Theatre