10 steps companies must take to ensure they meet latest EU data protection rules
The EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), comes into effect on May 25. The GDPR introduces a single legal framework across the EU for handling personal data. While many of the core principles and obligations remain unchanged under the GDPR, the GDPR does impose new and stringent additional requirements.
Examples of monetary fines under existing Data Protection legislation provide a stark illustration of the potential liability facing organisations in the event of a breach of data protection which may arise through innocent human error and not just cases involving a systemic failure.
St George's Healthcare NHS Trust was fined £60,000 after a vulnerable individual's sensitive medical details were sent to the wrong postal address.
Cheshire East Council was fined £80,000 after an email containing sensitive personal information was distributed to unintended recipients.
Closer to home, the Belfast Health Trust was fined £225,000 in 2012 after thousands of patient and staff records were found abandoned in a disused hospital.
The Information Commissioner imposed the fine because the trust failed to secure confidential files at Belvoir Park Hospital, which closed in 2006. The disused site became home to many vandals who broke in and stole confidential data. The thieves even posted some of the records on the internet, including X-rays and scans, in an attempt to sell the material.
Northern Ireland's Department of Justice was fined £185,000 in 2014 for auctioning off a filing cabinet that contained personal information about victims of a terrorist attack. The locked cabinet was one of 59 sold off by the Compensation Agency in 2012. When the buyer forced it open, they found it contained documents about injuries suffered, family details, and confidential ministerial advice.
From May 2018, failure to comply with the GDPR provisions may result in much more substantial fines of up to €20m or 4% of the organisation's total worldwide annual revenue for the preceding financial year, whichever is higher.
While human error is a fact of life in any business, demonstrating compliance will help reduce the data controller's or data processor's risk of liability, including administrative fines.
A cornerstone of the GDPR is the new obligation to demonstrate compliance with its requirements. While not an exhaustive list, the following provides an overview of 10 essential steps that ought to be taken now to help demonstrate compliance with the GDPR's requirements.
1. Compile a register of data-processing activities
2. Prepare and issue privacy notices to staff and service users
3. Ensure appropriate written agreements are in place with third parties/suppliers
4. Organise annual data security and protection training for staff
5. Appoint a data protection officer/manager/leader/champion
6. Put in place an incident reporting and response plan
7. Update your data protection policy to reflect GDPR provisions
8. Create a document storage and retention policy
9. Conduct an information security review
10. Review and update contracts of employment and existing policies (including how deal how subject access requests are dealt with) to embed GDPR compliance within the organisation and schedule annual reviews.
Organisations should obtain specialist advice in relation to their organisation's specific duties and responsibilities. Louise McAloon is a Partner in Worthingtons Commercial Solicitors, Belfast. For legal advice or details of seminars and staff training packages available, please telephone 028 90434015 or email firstname.lastname@example.org.