Hundreds of thousands of UK businesses will be potentially at risk of huge fines (up to 4 per cent of a firm’s global annual turnover) by not complying with the forthcoming EU General Data Protection (GDPR) next May, according to latest research published by UK’s first fully compliant GDPR job board CareersinCyber.com and London law firm Hamlins LLP.
The research, which was conducted in between April-May 2017 amongst 207 business owners, directors and senior management in the UK, revealed that whilst more than two thirds are aware about forthcoming regulation and when this is coming into effect, seven in ten businesses (73 per cent) have not allocated any budget to facilitate compliance with the regulation.
Other highlights of the research
The majority (53 per cent) have not appointed a Data Protection Officer (DPO);
More than a third of open ended answers amongst respondents reveal they are not planning to do anything about the regulation or do not know what has to be done;
When asked if what would be the main reason for not preparing for the regulation
15 per cent believed Brexit would preclude UK businesses from having to comply
12 per cent simply do not have the funds to comply
10 per cent did not want to get caught up in red-tape
11 per cent did not consider there to be a business risk
Other businesses also believed their size removes the requirement to comply, yet when the GDPR comes into effect it will introduce a number of key changes which will impact organisations regardless of size or turnover.
Crucially the regulation requires additional information to be supplied to individuals, including the need to identify the legal basis for processing data and the right for individuals to complain to the Information Commissioners Office if there is any problem with the way an individual’s data is being managed – for example if there is a data breach or data is being passed to third parties without express consent.
Businesses will be required to obtain a positive indication of agreement to personal data being processed. The consent cannot be inferred from silence, pre-ticked boxes or inactivity;
Consent will be required for processing children’s data. Businesses will need a parent or guardian’s consent in order to process children’s personal data lawfully;
Rules for obtaining valid consent have been changed. The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.
The appointment of a data protection officer (DPO) will be mandatory for certain companies. These include all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data’.
Firms whose core business activities are not data processing are exempt from this obligation. The GDPR does not specify credentials necessary for data protection officers, but does require they have both ‘expert knowledge of data protection law and practices‘, report to the highest management level of the organisation and have adequate resources to enable the organisation to comply with the GDPR.
Simon Wright, operations director, CareersinCyber.com comments, ‘Whilst some businesses will be exempt from appointing a Data Protection Officer, there are hundreds of thousands of businesses currently exposed because they do not have the right calibre of staff to deal with data protection law and practices and ensure they can honour all the obligations under the GDPR.
‘Experts in the data protection field, could find themselves in high demand and in some circumstances in a good position to name their price, as there is currently an estimated shortfall of 7,000 DPOs in the UK alone.’
Matthew Pryke, a partner at Hamlins who regularly conducts data protection audits for SMEs says, ‘Despite awareness about the GDPR, too many businesses are complacent and think because of their size or nature of business they are somehow exempt from having to comply.
‘Regardless of Brexit, this regulation – even with the words EU fronting the name – will still apply for all businesses operating in the UK. Those who leave it to chance and don’t prepare now, could be left high and dry if the Information Commissioners Office find businesses breach regulations.’
Other stipulations of the GDPR include:
Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data.’
Firms whose core business activities are not data processing are exempt from this obligation.
The GDPR does not specify credentials necessary for data protection officers, but does require that they have ‘expert knowledge of data protection law and practices.’
The introduction Mandatory Data protection impact assessments
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.
New requirements for data breach notifications
Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified.
Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation.
Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.
Data subjects have the right to be forgotten
Data subjects have the ‘right to be forgotten.’ The Regulation provides clear guidelines about the circumstances under which the right can be exercised.
New restrictions on international data transfers
Since the Regulation is also applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.
Data processors share responsibility for protecting personal data
Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.