Many businesses still don’t have the most basic data protections in place less than a year before the General Data Protection Regulation (GDPR) comes into force, according to a leading commercial lawyer.
James Pressley from Kirwans law firm said that numerous firms could fall foul of the law when the new regulations are introduced on May 25, 2018, and have little idea of what is expected of them when it comes to data protection.
Some businesses are also unaware that their customer databases may not be valid for marketing purposes from next year, he warned, due to changing requirements in the way that personal data is collected.
Those caught out could be hit by a fine of up to €20 million when the new legislation comes into force.
James said: “There has been data protection legislation in Great Britain since 1984 when the first Data Protection Act was introduced, but despite its increasing prominence, many business owners are still in the dark about what it could mean for their business. Some don’t even realise that it applies to them.
“Firms are being prosecuted for non-compliance right now under the Data Protection Act 1998, with current fines capped at £500,000. However, when the GDPR comes into force, the amount of fines which can be handed down will see a substantial rise, and could reach as high as 4pc of turnover, or €20 million, whichever is greater.”
Currently, the Data Protection Act 1998 applies to a business if it processes personal data, or anything which can identify an individual, such as a name, email address, telephone number or IP address. The definition of ‘processing’ is wide-reaching, and includes anything held on a computer and even a paper filing system.
“This means that if you deal in any way with consumers, or even if you just hold personal details for your employees, the Data Protection Act says that you must register with the Information Commissioner at www.ico.org.uk,” said James. “It is relatively simple to register and it only costs £30 per year, yet business owners are regularly prosecuted for failure to notify.”
Recent legal hearings add weight to James’ concerns, including that of Kavitha Karthikesu, a Coventry newsagent who operated CCTV on her business premises and was fined £200 and ordered to pay costs of £439.28 and a victim surcharge of £20 for not being registered with the Information Commissioner.
Triforce Recruitment Ltd, which had been acting as a recruitment agent for service leavers and ex-forces personnel, was also prosecuted for failing to notify the Information Commissioner. It was fined £5,000, ordered to pay costs of £489.85 and a victim surcharge of £120.
Perhaps the biggest change from the point of view of owner-managed businesses is that individuals must now give ‘explicit’ consent for their data to be processed.
Currently, companies can ask visitors to their website to tick a box only if they do not want to receive marketing information, called a ‘soft opt-in’. Under the GDPR, the individual’s consent must be explicit, hence the introduction of clear statements on websites such as ‘I DO want to receive marketing information’ or ‘I DO NOT want to receive marketing information’, with the customer only able to proceed to the next page by checking one of those boxes.
James explained: “Under the GDPR, the onus is on you as the business owner to make sure that you have explicit consent. You must be able to demonstrate that consent was given and you will bear the burden of proof that consent was validly obtained. Individuals can notify you at any time that they no longer agree to you processing their data.
“The logical consequence of this would seem to be that, if you have been running a ‘soft opt-in’ system, then as of 25 May, 2018, none of your database of customers can be used for marketing purposes. It would therefore make sense to switch to an active opt-in system as soon as possible.”
In addition, said James, many business owners do not realise that any customer, employee or other person they hold personal data for, can request to be provided with details of the personal information a business holds on them.
“A business is only entitled to charge £10 for providing this information,” he explained. “If a firm holds a large amount of personal data on many individuals, this could be a very onerous task, but it must be complied with and businesses are regularly fined for failing to do so.
“Last year Wainwrights Estate Agents Ltd of Ipswich failed to comply with a subject access request. They were fined £250, ordered to pay a victim surcharge of £30 and costs of £500.
“There is still time for businesses to get their houses in order, but they do need to seek professional advice now in order to avoid a painful legal situation later.”
The five data protection rules all businesses should know
1) You should only collect data if you have a legitimate reason for doing so (for example, documenting a new employee);
2) When you collect data from an individual, you need to tell them what you will do with that data (for example, taking payment on a website).You should only use the data for the purpose it was collected. If you subsequently do something else with the data you should inform the individual concerned of that change;
3) Data should only be held for as long as it is required and for the reason it was collected. Databases should be regularly cleaned;
4) You need to obtain the individual’s consent to use their personal data for marketing purposes;
5) 5) Personal data should be kept secure at all times. Computers and files should be password protected and encrypted, staff should be trained and systems should be in place to maintain confidentiality.
Key forthcoming changes
· Businesses will need to have rigorous policies and procedures in place for compliance with the GDPR. Failure to do so would be likely to mean heavy punishment in the event of a data breach;
· When any investment in new technology is made (for example, IT hardware or a website), businesses will be required to design data protection into that new technology;
· Any data breach must be notified to the Information Commissioner within 72 hours;
· Businesses will have to delete information held on individuals on request by that individual;
· You will need to obtain a separate specific consent from individuals if you want to use their data for behavioural advertising (the advertising that follows you around the internet);
· Businesses must respond to subject access requests within one month.