With less than a year until implementation of the EU’s new General Data Protection Regulations (GDPR), businesses must be confident that they know how to pick a clear path through this potential minefield. Martin Allen-Smith explains how
The race is on for organisations to ensure compliance with what amounts to a significant broadening of data protection rules when GDPR comes into force on 25 May 2018. The GDPR gives regulators considerably enhanced powers. If an organisation cannot demonstrate that good data protection is a cornerstone of their business policy and practices, they could be leaving themselves open to enforcement action that can damage their reputation and their financial bottom line. It is of course all too easy to fall foul.
Two companies have recently been fined a total of £83,000 for breaking the rules over the way personal information is treated when sending marketing emails. An investigation by the Information Commissioner’s Office (ICO) found Exeter-based airline Flybe deliberately sent more than 3.3m emails to people who had told them they did not want to receive marketing emails from the firm. Sent in August 2016 by Flybe, with the title ‘Are your details correct?’, the email advised recipients to amend any out of date information and update any marketing preferences. The email also said that by updating their preferences, people may be entered into a prize draw. As a result, the airline has been fined £70,000 for breaking the Privacy and Electronic Communication Regulations (PECR). A separate ICO investigation into Honda Motor Europe revealed the car company had sent 289,790 emails aiming to clarify certain customers’ choices for receiving marketing. The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda could not provide evidence that the customers had ever given consent to receive this type of email, which is a breach of PECR, so the ICO fined Honda £13,000. Steve Eckersley, ICO head of enforcement, said that both companies sent emails asking for consent to future marketing. “In doing so they broke the law,” he explained. “Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law. Businesses must understand they can’t break one law to get ready for another.”
The cases are a timely reminder not only that breaches of existing data protection law carry potential financial and reputational risks, but that the rules are about to get even tougher and organisations should be making sure their processes are well in order ahead of the implementation of GDPR. While Flybe’s fine could be seen by some as relatively modest, the scope for tougher sanctions is most certainly there. For the most serious violations of the law, the ICO will have the power to fine companies up to €20million or 4 per cent of a company’s total annual worldwide turnover for the preceding year. It should certainly be enough to make all organisations take the issue extremely seriously. Global practice leader for cyber risk consulting at Aon, Adam Peckman, points to a number of significant (“game-changing”) issues surrounding the new regulations that will change the EU data privacy landscape.
“Under current EU law, only data controllers have statutory obligations when processing personal data, the GDPR extends these responsibilities to data processors,” he explains. “As a result organisations [have] to test, analyse and improve current internal processes to comply with the new regulations.” So what do businesses need to be doing? According to law firm DAC Beachcroft, there are two main approaches to preparing for GDPR – bottom-up or top-down, or somewhere in between. Partner at the firm, Emma Bate, finds that for smaller organisations with fairly standard procedures and limited use of personal data, the top-down approach may be appropriate. This is where the GDPR team creates the new processes and procedures, based on their own knowledge of the business and then rolls those new policies out.
Bate advises that for larger organisations, where no single team or person understands how personal data flows throughout the whole business, a bottom-up approach may be more fitting – starting with a data mapping and GDPR readiness project which investigates how personal data is flowing through an organisation, and carry out a gap analysis; the result being a major implementation plan. “Both halves – producing the readiness report and the implementation plan – are major projects for large complex businesses,” she explains.
Implications of non-compliance
With one year to before the implementation deadline, just how well prepared are organisations? It’s a mixed bag, according to Bate. “There are businesses that have already been through the GDPR data mapping and gap analysis and have a GDPR readiness report. Some of those businesses are now well down the road to implementing that readiness report, with actions planned over the coming months. “Many other businesses have not even started thinking about [it], and probably won’t do until it is in force – or maybe not even until the large fines come through.” It is important to understand the implications for businesses that fail to meet required levels. Of course there are the fines, and this is what catches the headlines; but the ICO has many other powers. On top of these, individuals will also be entitled to bring claims for any breach of the new rules. Article 58 of the GDPR sets out the powers of the ICO and other supervisory authorities. These powers are substantially more wide ranging and invasive than under current law. They include the power to carry out mandatory investigations and audits of businesses (the ICO has used a similar power it has under section 41a of the Data Protection Act to great effect in the public sector). The powers also include the option to order a temporary or permanent ban on processing or to suspend data flows to a specific country or international organisations. “Under Article 79, all data subjects have the right to an effective judicial remedy (most often likely to be damages) for any breach by a data controller or a data processor of the GDPR,” Bate notes. “On an individual basis, we expect these claims only to be a few hundred or maybe a few thousand pounds. However, the concern is that data security breaches could become the next PPI.” There are a number of sizable and complex specific challenges for businesses to consider. Firstly, the GDPR has a longer list of specific requirements to be included in a privacy policy, and all organisations will have to update this. For example, in relation to group insurance, there are challenges in delivering privacy policies to employees where employees’ details are being handled by insurance brokers, insurers and other insurance sector firms. Personal data in some cases will travel all the way up the chain, for example in relation to a large claim. The employee, and perhaps even their family members, should be provided with a privacy policy from every insurance business which handles their personal data. Swift action will also be critical in the event of a data problem since the GDPR introduces for the first time a mandatory breach response regime.
Businesses have just 72 hours from the time they discover a security breach, to assess if there is any risk to individuals and notify the ICO. They must also notify the data subjects at the same time or shortly afterwards, if there is a high risk of harm to those individuals. DAC Beachcroft’s Bate advises that businesses look at their internal processes to ensure first that breaches will be picked up, and then will be directed to the right team for them to be handled correctly. “The timeframe is...challenging in itself, but the issues increase when data processors are also involved. The time starts ticking when the data processor becomes aware of the breach. If there are a number of data processors in a chain, then the contracts must ensure that the information is passed up to the data controller in sufficient time for it to assess the breach and notify the ICO and data subjects.” It is important to note that Brexit is likely to have little or no impact on the relevance of the GDPR requirements. “As the regulations will be implemented prior to any formal Brexit, from a practical perspective the UK approach should not differ from the approach being taken by European neighbours,” Aon’s Peckman points out. “Beyond that, only time will tell but effectively if you are a UK company that processes data in EU territories in a post-Brexit world, there will remain an obligation to comply.” Rob Luke, deputy commissioner for policy at the ICO, believes that it would be short-sighted to view these tightening rules on data protection solely as a risk to be mitigated and the ICO as a regulator not to fall foul of. “Instead, I urge businesses to view data protection as an opportunity to be seized; seized by companies looking to build a level of trust with their customers that helps deliver competitive advantage. Get data protection right, and you can see a real business benefit. “It’s clear some businesses will thrive in this changing environment. They’ll be the ones that look at this whole issue through the eyes of their customers. We need to move from a mindset of compliance to a mindset of commitment to managing data sensitively and ethically, not just because it is the law, but because it is part of basic good business practice, like honest pricing or good customer service.” And yet there is a sense that the data protection issues facing organisations now and over the coming months are just a taster of what is to come in the future. Aon’s Peckman notes: “If trends continue, law reform surrounding data protection will continue to ask more of organisations who handle personal data. Globally, we can expect to see other nations follow the trend of the European Union by imposing stricter laws for organisations to comply with and imposing tougher fines on those who don’t comply.”
This article was published in the May 2017 issue of CIR Magazine.
Download in PDF format
Click here for more interviews and analysis
Contact the editor
Follow us on Twitter
Printed Copy:
Would you also like to receive CIR Magazine in print?
Data Use:
We will also send you our free daily email newsletters and other relevant communications, which you can opt out of at any time. Thank you.
YOU MIGHT ALSO LIKE