Implications of the new data protection law
This week, Margaret Canning speaks to Dr Ken MacDonald, whose remit as head of regions for the Information Commissioner's Office (ICO) extends to Northern Ireland, Scotland and Wales, about the challenges facing firms ahead of the introduction of the General Data Protection Regulation. Pinsent Masons' partner Laura Gillespie, an expert in regulatory matters, also shares her advice for firms.
Q. We are only 58 weeks away from the The General Data Protection Regulation (GDPR) becoming law on May 25, 2018 - what do you think the biggest change will be for Northern Ireland businesses?
A. The GDPR brings a lot more responsibilities to business to enable consumers to exercise the rights they have under existing data protection law. It supplements rights of access so businesses have to tell their customers much more information about what they are doing with the information that they hold about them.
Under certain circumstances, there are rights for customers to have information deleted or to have data that's held about them in relation to services downloaded and supplied.
Organisations will also be required to properly record what they are doing with the data, how they are handling it, etc.
It's really an extension of the duties that companies have to customers and much of what it provides reflects the guidance that the ICO has been promoting over the past eight or nine years.
The GDPR shouldn't come as a shock if businesses have been diligent.
We know that organisations recognise the risks that there are and that so much information can be held - and lost - by fair means and by foul. Because the Information Commissioner was given greater regulatory powers in 2010, which included the ability to fine, the potential financial impact - combined with the reputational damage that can be caused to organisations which lose personal information - meant senior executives sat up and took notice.
The maximum fine which the commissioner can impose is £0.5m - but under GDPR, that goes up substantially, so that the maximum fine that can be issued is either €20m (£17m) or 4% of global turnover.
The €20m/4% of turnover fines is the upper limit, but it's a recognition of the damage that can be done to people from a massive data breach arising from carelessness or disregard for data.
For companies who have already stayed on top of their data protections, GDPR brings nothing to fear. For a business that has been following best practice, it shouldn't be an onerous responsibility. For other businesses, it does make sense. Data protection has got a bad name but it is a very helpful tool for business, partly by encouraging trust and loyalty, but also it helps efficiency as you only hold the data than you need to hold.
There's no point in holding records that go back 20 years if you don't need them. Everything you hold costs your business money."
Q. What steps should businesses take now in relation to data processors?
A. GDPR also puts more specific obligations on data processors, the third parties who sometimes handle personal data for companies.
They're already required to have a contract in writing saying that they will abide by Principle 7 security. GDPR now states that the agreement has to be in much more specific detail about the sorts of security that has to be put in place. We'd urge companies to start looking at the relationships they have with third parties and making sure that their contracts are GDPR-proofed by May 25 next year.
Q. Privacy by Design is a new concept under GDPR - can you explain what exactly businesses will need to do to comply?
A. This is something the ICO has been promoting for a number of years. At its most simplistic, it's about organisations putting some thought into the information that they're gathering from customers and how they might store it. Do they need everything they are asking for? If not, they shouldn't be holding it under the current act, and certainly not under GDPR.
Q. Subject Access Requests are becoming ever more frequent. This can create quite an administrative burden on organisations to respond. What will the new law say?
A. The key thing that differs is that under current law, you have 40 days to respond, but under the new law, you have a month - so it's a much shorter time period. There's also an ability where a request is manifestly unfounded or excessive to charge a fee based on the administration costs of providing the information or refuse to respond altogether.
Q. Can you explain when exactly an organisation will need to employ a Data Protection Officer?
A. Currently many organisations have someone who's designated as a DPO but this is not the same as required under GDPR. It's a very specific post and will be required for all public authorities and for organisations who are processing what is essentially sensitive data on a large scale.
Q. Under the GDPR, the ICO's ability to issue penalties will increase from £500,000 to €20m or 4% of global turnover - what sort of aggravating factors do you think would result in larger fines?
A. In the worst case, a fine of up to €20m or 4% of global turnover - whichever is larger - can be imposed, broadly where the rights of the individual have been ignored or breached. If there is a query over a subject access request, you may be moving into that higher-level fine. There may be more process-type breaches, where it's more like €10m or 2% of global turnover, whichever is larger. That can include a security breach - and we have a new requirement that you must always report those, though we have always encouraged that. The largest fines are for breaches of rights and the smaller ones are for not notifying us of a breach or other failures in the process. When it comes to us setting the levels of fines,we look at aggravating factors such as what's their governance been like, have they made that internal audit, have they failed to notify."
Q. What steps should businesses be taking now in preparation?
A. The ICO has published a guidance, 'The 12 steps to GDPR'. That's downloadable to our website. The ICO as well in NI will be doing a huge amount of promotional work over the next year, talking at conferences and meeting business leaders. But first of all, go to the website and download 'The 12 Steps to GDPR' and start taking action. It's no good looking at it on May 24 next year because that's far, far, too late. It's a year to go and a lot of work has to be done, especially if you haven't been following good practice to date.
Senior business leaders are balancing many concerns in the wake of Brexit and other shifting political and economic landscapes. A partnership between the Belfast Telegraph and international law firm Pinsent Masons, 'What's on your mind?', is a series of interview platforms for some of Northern Ireland's prominent business leaders to outline what's most pressing on their agenda and how they view these challenges. Pinsent Masons' experts will provide analysis as to how businesses facing similar issues can minimise risk and navigate it successfully