GDPR penaltiesThe Information Commissioner’s Office (ICO) has the power to fine a non-compliant company up to ?17m, or four per cent of annual turnover, whichever is higher. However, the value of a penalty is not always pre-determined and the behaviour of an organisation can be taken into account. For example, if a culture of data protection is evident, as well as evident steps taken towards compliance. __________________________________________________________________________________
Uber data leak could have earned ?17.75m fine under GDPR Following confirmation that on-demand taxi app Uber concealed a data breach affecting 57m of its users, legal experts have suggested the company would have faced the harshest penalties of incoming data protection rules in 2018. __________________________________________________________________________________
Who?s accountable?One of the reasons firms seem unprepared for GDPR, the study found, could be the lack of consensus over who is responsible for data protection within a business. Almost a third of respondents said it should lie with the CEO, but one in four wanted to hand GDPR over to the chief data officer. Just 22 per cent believed responsibility should lie with the chief marketing officer.?
GDPR countdown: What businesses need to do right nowOver the last year, our experts have been helping small business owners get their house in order ahead of GDPR. Here are their essential tips.
Undertake an organisation-wide data auditRyan Wain, chief marketing officer at Unlimited Group, advised decision makers to undertake a full audit on data held by a business. ?Distinguish between personal and non-personal data, identify its use, the processes applied to it and the legal considerations. This does not have to mean line-by-line data analysis ? where they can be, different data sets can be grouped together,? Wain explained. ?Inevitably, you will find data that?s years? old and no longer needed. If you decide this poses a compliance risk, deleting it delivers immediate benefits.? Following this, Wain advised owners to delete old data, catalogue the results and then fill in the gaps. He added: ?Possibly the most important consideration is to avoid viewing GDPR compliance as a process with a hard and fast end point. Rather, it will be an on-going journey as you gather and process new data moving forward.?
Collecting customer information under GDPRWhat are retailers permitted to do with the email addresses and customer information handed over by shoppers at checkouts? Charlotte Ebbutt and Malcolm Gregory, from law firm Royds Withy King, explain the rules. ?Email addresses collected at the point of sale are considered personal data under current data protection regulations and under the GDPR. The rules state that data must be ?collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.? ?This means that if an email address is given for the purpose of receiving an e-receipt, it must only be used for that purpose. A retailer cannot then use that customer information for marketing or any other purpose. Once the receipt has been sent the email address should be deleted, as the regulations do not allow for the unnecessary storage of personal data. ?If a retailer wishes to use email addresses gathered at the point of sale for subsequent direct marketing this must be ?explicitly brought to the attention of the customer? and presented ?clearly and separately from any other information?.?
Handling employee dataEven when Britain leaves the EU, data relating to EU citizens will still be under the remit of GDPR. If you are processing data related to EU citizens, your business or organisation will still be under the remit of GDPR. Post-Brexit, it remains to be seen if UK citizens will be included in this remit. However, the wise thing to do now is prepare to process all data using these new regulations. Final takeaways to become GDPR-compliant
- Request for consent must be intelligible ? for sensitive personal data, users will have to ?opt in? rather than ?opt out?
- Individuals must have the right to access data
- Individuals must have the right to withdraw consent and prevent further dissemination of data
- Those concerned must be notified of a security breach
Sign up to our newsletter to get the latest from Business Advice.