In three months, the General Data Protection Regulation (GDPR) is going to be replacing the current Data Protection Act (DPA) 1998. This will be occurring specifically on May 25, 2018. This change is going to bring about a major development relating to how personal data must be collected and stored, writes Karen Holden, Founder of A City Law Firm.
In light of the urgency though, with only 90 days to go, a recent survey has revealed that 18% of small business owners are unaware of the GDPR and 34% have little understanding of its requirements. The poll has shown that the most prepared are small businesses in the financial industry. However, hospitality and the arts and entertainment businesses are the least prepared, with more than half of respondents in these industries saying they haven’t even started preparing for these changes.
Not following the new guidelines will lead to significant repercussions and fines. The government has recently revealed that Brexit will not be affecting the implementation of GDPR but any business that holds personal data. Given that, it could not be more pivotal to stay on top of the change and how it affects you.
The design of the GDPR has been formatted in such a way to clearly lay out the new rules when holding personal data. A huge change is the amount of power people will be receiving when releasing their personal data. The GDPR was introduced as a reaction to increased online activity and the sale of personal data, giving consumers more control over what happens to their data.
GDPR will bring data protection legislation in the UK up to the level of the rest of the EU. Businesses must be fully compliant with the new regulations – This article will help you fully understand the new law and avoid any potential fines.
The new changes
The general framework of the GDPR isn’t too different from that of the DPA, the level of compliance is dependent on the volume and type of data collected by each organisation. In short, the more reliant your business is on data collection and processing – the more compliance that is required under GDPR. Privacy protection, notification and consent must still be afforded and any data collected must be held under secure storage. The new GDPR regulations places a higher emphasis on protecting the rights of every person, therefore, companies must now justify the legality of the data they are collecting.
Mike Cherry, national chairman of the Federation of Small Business says: “The GDPR is the biggest shake-up in data protection to date. Many small businesses will be concerned the changes will be too much to handle, it is clear that a large part of the small business community is still unaware of the steps they need to take to comply.”
What Data refers to
Data can be used to describe a range of personal information relating to an individual. It can relate to simply names and addresses, but can also be fingerprints, DNA, recorded calls, date of birth – and now, under the new regulations, includes any data that can relate back to an individual. All information held by you will be covered and protected by the GDPR.
What is the law relating to recording phone calls? How can you make sure you are doing this legally?
Legal compliance can be demonstrated by fulfilling any of the following conditions:
- The individual(s) involved in the call has consented to the recording
- The recording is completely necessary, i.e. the fulfilment of a contract or legal requirement
- The recording is needed to protect the interests of one or more participants
- The recording is in the public’s interest, or necessary for the exercise of the official authority
- The recording is in the legitimate interests of the recorder, unless those interests are overridden by the interest of the participants in the call.
An example of a where a company may record a phone call would be for ‘staff quality assurance purposes,’ when applying this to the above conditions the company is just left to cover the first condition to be protected from non-compliance. Condition 5 may also apply, as it would be difficult to argue that the monitoring of customer service would outweigh personal privacy.
Under the DPA, when recording a phone call the individual must be informed of the recording, the purpose and how it will be processed – implied consent by continuing the call is acceptable and usual practice. The new GDPR regulations will change this to become stricter, assumed consent will no longer be acceptable – the individual must expressly provide consent. This can be done recording verbal consent or having AI in place to terminate the call if there is no explicit confirmation.
The new ‘Principle of Accountability’ requires companies to demonstrate compliance to the new rules of GDPR, the GDPR also stresses that data protection systems should be implemented with immediate effect and not implemented over a set period of time. Therefore, a realistic policy that staff and providers can fulfil should be implemented. Creating a 200-page policy for example would not be beneficial for compliance, and makes it more difficult to prove you are fulfilling the policy.
To be able to achieve this, protocols and principles will need to be drafted and employees will need to be trained to be made fully aware of new processes and provisions. This will need to be carefully managed to ensure compliance and should there be any breach of data privacy companies are required to inform both the data subject and regulators.
Individuals Have Express Access to Their Data
Everyone now has the right to access any stored information relating to them, businesses will need to identify, retrieve and provide a copy upon request. Hereby, companies must construct an effective way of generating this information on demand. Indeed, should any individual request their information to be deleted, this must be completed with immediate effect.
GDPR also brings about new penalties for companies who do not comply with the new policies, designed to prevent further breaches. Previously companies could be fined up to £500,000, however, under the new regime, companies could be fined between 2-4% of global turnover, depending on the severity of the breach.
How a lawyer might be useful
At A City Law Firm, we believe that to identify any areas for improvement, it is first important to understand your business and its operations, as well as what information really needs to be collected. All policies should be bespoke to each company based on what can realistically be achieved, this can be identified by; size, costs, suppliers, risk and compliance. Lawyers should not offer a ‘one size fits all’ solution, but offer guidance so you can implement necessary changes and speak with providers to ensure you are compliant in time for GDPR to come into effect.
We provide regular workshops on the topic, in particular on dealing with third parties that are essential to your business.