Ashley Harkus, managing partner of Everett Tomlin Lloyd and Pratt Solicitors, looks at the looming overhaul of data protection rules and what it could mean for your business...

News that Carphone Warehouse has been fined a record amount by the information commissioner’s office after a data breach in 2015 should heighten awareness of the importance of protecting data. 

The £400,000 fine comes a year after Talk Talk were also fined a substantial amount for a similar issue. 

The situation will only become more worrying for companies when existing data protection laws are overhauled by the General Data Protection Regulations (GDPR) coming into force in May this year, as the penalties available to the regulator will rise to a possible four per cent of global turnover.  

Many businesses think that this won’t affect them or suspect it is another attempt to impose a bureaucratic burden on them for something for no good reason, but this is a misconception as all businesses keep some level of personal data

Every business will retain data of some sort, whether it is about their employees, clients, potential clients or customers.  

The level of information held will depend on the nature of the business. A shop may only hold the most basic information about their customers, but a care home may hold very sensitive health records or private information which they have a duty to protect.  

The purpose of the new regulations is to ensure that each business is aware of its responsibilities, identifies the data it holds and why it is holding it and then puts steps in place to ensure that the data is safe, accurate and held for an appropriate period of time. 

For some businesses which hold, process or use a high volume of data or hold sensitive data there are additional requirements that need to be met. 

They will need to appoint a person to oversee compliance – a Data Protection Officer. Public authorities, organisations that carry out regular monitoring of individuals or businesses which have large scale processing of sensitive data, will have to designate somebody.  

The Information Commissioner’s office has produced some guidance on the steps that businesses need to take to be compliant.  

While this is a complex area, in brief the steps are as follows: 

• Document the categories of personal data that you hold, where it came from and who you share it with. If that information is passed on to anybody else the regulations require businesses to maintain records of those activities and to correct any errors in personal data shared with other organisations

• Consider who is responsible for protecting data in your organisation 

• Consider what you need to tell your clients or customers at the outset.  

Currently it is necessary to give people information about how you intend to use their data. The new regulations expand this to include information telling customers or clients why you have a lawful basis of processing data, how long you will keep it for and that they have the right to complain to the Information Commissioner’s office if they think there is a problem with the way that you handle the data. 

• Make sure you have procedures covering the deletion of personal data and the rights of your customers or clients.  

Those rights will be expanded under the new regulations. At present customers or clients can make a subject access request and as long as they pay a fee are entitled to have a reasonable request complied with.

Under the new regulations that time limit is cut to 30 days and generally no fee can be charged. Larger organisations which have a high level of these requests will need to consider their IT systems and potentially develop systems that allow people to access information online. 

• Consider why you hold data and for how long. 

The purpose of the regulations is to rebalance the retention of data so that individuals have more rights and preventing businesses from retaining or using data without good reason. 

Given recent large scale data breaches and the prevalence of cyber crime, this appears to be a laudable aim.  

Any business which currently encourages customers or clients to allow retention of data by pre-ticked check boxes or consents within terms and conditions, will find life much more difficult under the new regulations as that consent cannot be given in this way in the new regulations. Consent will become an opt in and must be properly documented and easily withdrawn. 

Every business will need to demonstrate that it has considered how long data will be retained for and have a method of safe destruction.

• Children. For the first time there is special protection for a child’s personal data. A parent or guardian must consent if that information is going to be used.  

What happens if you don’t do this? 
Data breaches which are potentially serious have to be notified to the Information Commissioner’s office. Failure to report a breach could result in a fine as well as a fine for the breach itself. 

While the Information Commissioner’s office has indicated that fines are not to be the first resort, powers within the regulations allowing a fine of up to four per cent of a business’ turnover are enough to make business owners pay serious attention to compliance.  

Any business which is regulated or audited should expect to have questions asked about the GDPR and all businesses need to be aware of the regulations, take advice, and put steps in place in order to show compliance as anyone hoping for leniency in the early days of the regulations may be disappointed as the regulator will no doubt be keen to show their teeth.