The recent headlines made by Facebook and what companies do with customer data has put the issue of data protection firmly in the spotlight.
While Facebook users have expressed alarm on how data was harvested and sold on to third party companies, new regulation comes into effect next month that will not only give greater control over personal data back to individuals, it will also put greater demands on every business, of any size, in how they look after that data.
General Data Protection Regulation (GDPR) will be introduced on May 25 across the European Union. The impact of the legislation will be far reaching because it applies to any organisations that hold or process personal data of individuals in the EU.
Simply put, if you have customers, then everyone inside your organisation will be affected by and responsible for complying with the new regulations. GDPR is the biggest change to data legislation in 20 years and is set to change the legal landscape irrespective of how and when we deal with Brexit.
GDPR was initially derided in some quarters, particularly in America. Now it is being championed for the way it protects the individual against the sort of practice that has seen Facebook, Apple, Microsoft, Google, and many other companies around the world, profit from selling information about their customers.
The new regulation also introduces more stringent and prescriptive data protection and compliance challenges, backed by eye-watering fines. It is worth stressing that the biggest fines will only be applied in exceptional cases. It is not designed to put small businesses out of business, but it is designed to make every business take the issue of data protection a lot more seriously.
For example, the introduction of new rights for individuals, such as the right to be forgotten and the right to portability, as well as the introduction of mandatory breach notification requirements, are likely to increase the regulation for organisations of all sizes.
Key changes include:
- Fines for a breach of GDPR are substantial. Regulators can impose fines of up to 4% of annual revenues or E20m
- Data Protection officers must be appointed if companies conduct large scale monitoring or process large amounts of sensitive personal data
- Organisations must prove that they have established a culture of monitoring, reviewing and assessing data processing procedures
- Explicit consent needs to be gained if organisations intend to make data available to third-party providers such as Google Analytics
Some directors would even argue that the GDPR regulation is potentially just as onerous as the UK Corporate Governance Code which came in to force in 2016 and not only because of the potential size of penalties.
Under GDPR a number of new rights for individuals have been created. They include…
- The right to be forgotten: this means the right to ask data controllers to erase all personal data without undue delay in certain circumstances
- The right to data portability: where individuals have provided personal data to a service provider, they can require the provider to “port” the data to another provider, provided this is technically feasible
- The right to object to profiling: meaning the right to object to being subject to a decision based solely on automated processing
It’s not only companies that are affected, the third sector also need to comply. Whilst most charities are questioning how they can contact donors and supporters, the new regulations apply across the board. Campaigning, marketing, managing volunteers and recording information about service-users are all likely to involve processing an individual’s data.
The board will need to look at people, processes and systems: how personal data is acquired, stored and used. For some companies this may even require an organisational culture shift.
Though data breaches may grab the most headlines, there are many elements required to demonstrate compliance and a top down approach is one of the best ways a company can prove it is taking them more seriously. This is particularly the case with larger companies that are handling and storing higher volumes of customer data and permitting access to that data in a more de-centralised way such as by hand-held devices.
Key areas for organisations to consider:
- Expanded scope: are you a data processor or data controller either processing personal data inside the EU or processing the personal data of EU citizens?
- Data Protection Officers: do you conduct large-scale systematic monitoring (including employee data) or process large amounts of sensitive personal data?
- Accountability: do you have a data protection programme and are you able to provide evidence that you comply with the requirements of GDPR?
- Breach notification: would you be able to notify a data protection authority of a data breach within 72 hours?
- Privacy by design: do you include data protection and privacy requirements into the development of your organisations processes and systems?
- New rights: do you know how you will be able to comply with the new rights? The right to be forgotten, the right to portability and the right to object to profiling.
GDPR will clearly be giving organisations and the people that run them a lot to consider and now would also be a good time to revisit the need for Directors and Officers insurance.
Any action or investigation alleging wrong doing by a director is likely to trigger a claim for defence costs under such a policy, which makes the cover even more valuable.
Even decisions made with the best intentions can be scrutinised. Directors Liability Insurance provides protection against the risks personally faced and peace of mind for directors. IoD members save up to 35 per cent.
0800 015 1533
Find out more
The IoD has a comprehensive hub of resources, template policies and guidance to help businesses get underway with GDPR preparations. See our resources here.