How to prepare for the new privacy laws 'with teeth' - and avoid huge fines for breaking them
This consultant delivers a masterclass in how SMEs should prepare for the GDPR.
NEXT YEAR WILL see the biggest overhaul in privacy law in two decades, and it’s going to be a game changer for many organisations.
For those who don’t know, the General Data Protection Regulation, or GDPR, is a new piece of legislation that becomes applicable on 25 May 2018.
What’s interesting about the new law is the fact that it not only applies to large companies like Facebook or LinkedIn, but the same principles will apply to SMEs, non-for-profit organisations, schools and even community groups like sports clubs. It will also apply to public sector organisations.
You would be hard pressed to find a law that applies as extensively as this one because it’s next to impossible to do business today without collecting some form of personal data.
Does the law apply to me?
Essentially, the only criteria that decides whether or not the GDPR applies to your business or organisation is whether you collect personal data.
Personal data is defined very widely – it means any information that can identify a living person.
In other words, if you, as an organisation, have employees or customers whose personal contact details you store, then you will be collecting personal data and this law will apply to you.
There are one or two derogations in the legislation. For example, the requirement to keep records of processing activities applies only if you have 250 employees or more, although some small organisations will still need to do so due to other requirements.
Other than that, there are few differences in the application of the principles as they apply to an SME or a large company.
What’s different about GDPR?
Current data protection laws in Ireland date back to 1988, so it’s not as if GDPR introduces an entire set of legal principles that never existed before.
One of main differences with the GDPR and existing law is that it places more onerous obligations on organisations to prove that they are compliant.
This concept of accountability runs throughout the new legislation, and the burden of proof is on each organisation to demonstrate upon request how they are compliant with the law.
The principle of transparency is at also the core of the GDPR, and organisations will be required to be much more up-front in terms of providing information to the individuals whose personal data they collect.
Organisations must disclose what personal data they collect, why they’re collecting it, what they’re going to do with it and who’s going to access it.
In addition, individuals will be given more rights and enhanced protection, which means that they can go back to companies and makes certain requests.
For example, a person could ask your organisation to respond to a subject access request whereby you will be required to disclose what personal data you hold on that individual.
Or they could object to receiving direct marketing from your firm or ask to ‘be forgotten’. Companies have to be ready and primed to deal with these requests when they receive them because they create an administrative burden.
You’ll have 30 days to respond to them under the new law – or else risk being fined by the Office of the Data Protection Commissioner.
Beware the ‘sleeping giant’
I think it’s fair to say that, up to now, breaches of data protection law have not carried the sort of fines that, by themselves, would dissuade an organisation from failing to comply. The GDPR has teeth and brings with it severe penalties.
There are two tiers of fines under the new legislation. The top tier can be more than
€20 million or 4% of an organisation’s global annual turnover, whichever is greater.
It’s worth noting that if there is a breach of data protection law today, the regulator has to prosecute through the courts, and the courts will decide whether to levy a fine.
That all changes under the GDPR. The regulator will be able to decide whether to fine as well as the level of fines.
If your company is being sued by an individual because of the impact your infringement of data protection law has had on them, they will now have the right to seek compensation for non-material damage.
That means they do not have to show a financial loss as a result of the infringement – they can seek compensation for distress, hurt feelings, reputational damage, and so on.
A group of the individuals could also come together under the umbrella of a not-for-profit consumer group and take a quasi-class action against your company.
So it’s not just fines you have to worry about – claims for compensation from individuals could prove to be the ‘sleeping giant’ of the GDPR.
What should you do?
A lot of people think GDPR is merely to do with securing personal data in a computer system.
While IT and data security is an important component of compliance, it is not sufficient on its own to demonstrate compliance. The GDPR applies to the entire life cycle of personal data from the moment you collect it until your safe disposal of it.
Right now, becoming GDPR-ready should be a board- and senior management-level issue. If this hasn’t yet been on your board’s agenda, it should be on the very next one.
You can’t be compliant with this law if you don’t know the basics. You will need to assess what personal data your organisation collects, where it resides in the organisation and who is accessing it.
You need to review the type of data processing that you carry out – in other words, what do you do with that information and what purposes are you using it for?
You must have a legal bases for holding it. The various legal bases for collecting and processing data are listed in the GDPR, and you must be able to identify and document which lawful bases your processing falls under.
External privacy policies – such as your website’s privacy policy – must provide sufficient information to individuals about data collection and use so as to satisfy the transparency requirements of the GDPR. Chances are, you’re going to have to refresh your policy.
With the likes of consent forms, you’re likely going to have to give more information to individuals than you did before, so that they can be considered to have given an informed consent.
Silence and pre-ticked boxes won’t work any more. There will have to be an affirmative action by an individual.
You must also look at your internal privacy policies. What did you tell staff when you collected their personal data? Have you been fully transparent with your staff about what you do with that information?
It’s important for SMEs in particular to look at personal data shared through outsourcing and supply chains.
Let’s say you outsource payroll to a third-party payroll provider. As part of that arrangement, you will allow this third-party company to access your employee personal data.
You’re required under GDPR to have a robust written contract in place between you and the service provider which must include certain contractual terms on data protection, which are prescribed by the GDPR.
You’ll need to audit your outsource contracts. This could be a big task for a company if they happen to outsource many functions such as IT management or use cloud-based services.
Once a third-party has access to any personal data, those contracts need to be revisited and brought into line with the GDPR or else you could be fined.
Training
It’s critical that you invest in training your staff. Do they actually understand what is meant by personal data and what a data breach is?
This could occur as simply as sending an email or a letter with personal details to the wrong person. Do staff know about that and would they know who to report that to internally?
You’ve got to build a culture of understanding and a culture of compliance within an organisation and that starts with your workers, so invest in their education on an ongoing basis – and keep a record of it.
Aoife Sexton is co-founder and director of data protection consultancy firm Frontier Privacy. This article was written in conversation with Conor McMahon as part of a series of masterclasses with some of Ireland’s most influential business people.
If you want to share your opinion, advice or story, email opinion@fora.ie.