In October 2016, telecoms provider TalkTalk was fined £400,000 by the Information Commissioner’s Office (ICO) for failing to protect customers’ personal data, breaching the Data Protection Act 1998 (DPA).
This is the largest fine issued by the ICO, yet Information Commissioner Elizabeth Denham has publicly stated that the £500,000 maximum fine for breaches of the DPA is insufficient. However, law reform means that from May 2018, organisations face potential fines of up to 4% of their previous year’s worldwide annual turnover or €20,000,000, whichever is the greater. For example, under the incoming rules, TalkTalk could have been fined £71,800,000. Businesses which hold large volumes of information about individuals, for example, operators in the pensions sector, are particularly at risk.
Imminent Reform: The EU General Data Protection Regulation (GDPR)
The GDPR was adopted on 25th May 2016, and its provisions will take effect from 25th May 2018. It introduces significant changes for organisations in the public, private and third sectors, and heavy penalties for non-compliance. Its huge fines were a deliberate measure by the European Commission to escalate data protection to a corporate board level concern.
The two year ‘sunrise period’ expiring in May 2018 was meant to allow organisations time to comply with the new law. Unfortunately, uncertainty around Brexit has meant that many organisations did not believe that the GDPR, as a European regulation, would take effect. However, both the British Government and the ICO have indicated that the GDPR will become law in the UK. As a result, organisations now only have 15 months to prepare.
GDPR: the changes
The GDPR is significantly more prescriptive than current data protection law, and introduces a number of new obligations. In particular:
- Organisations must not only comply with the provisions, but be able to demonstrate to the regulator that they do so, by way of policies, training and management structures;
- certain types of organisation must appoint a data protection officer (DPO), but those not compelled to should consider voluntary appointment in order to ensure the many new requirements of the GDPR are met;
- data breaches must be notified to the regulator within 72 hours, and promptly to affected individuals, failure to report could trigger enforcement action from the regulator;
- data subjects’ rights are extended significantly (for example the ‘right to be forgotten’ and to data portability), which will present an information management challenge; and
- data protection impact assessments must be carried out before commencing any new activity involving personal data, for example implementing new software.
Act Now
With only 15 months to prepare for the GDPR, organisations that have not started the process already must start the process immediately to identify the information they hold (for example, employees, ex-employees and pension scheme members), who they share it with (for example, their supply chain, clients and regulators) and how they ensure their use of such information complies with the law.
The GDPR is a game changing piece of legislation, and any organisation that handles large volumes of information about individuals, particularly where it is sensitive in nature (for example, relating to individuals’ health or financial circumstances), will find themselves conducting a heavily regulated activity. Organisations must act now, to avoid the risk of regulatory action and reputational damage.