As we come to what is our final article on this series of 5, we have already taken an overview of what the General Data Protection Regulation are likely to mean for businesses and more specifically those that operate in the digital realm. Through what follows, we aim to explore how these businesses are likely to be affected by data subject requests and alleged data privacy breaches. We will also discuss how such businesses should react to these issues, the steps they need to take in remedying them, and the potential penalties for getting it wrong.
One of the main drivers behind the General Data Protection Regulation (GDPR) is the perceived need for increased rights of the individual. Under the scope of the GDPR, these so-termed “data subjects” will have improved access to data that entities such as businesses and organisations hold concerning such individuals.
From a basic data package and details of how the data is being used to full removal from databases, data subjects are to have clear and unhindered access to them all. Whatever rights individuals already have under the current legislation of 1988 will not be affected and these will remain in force. While much of the new regulations are aimed at digital data handling, it also enhances the existing regulations in terms of how the data is delivered (digital rather than hard copy as required).
Though the bulk of the new regulations are concerned with how businesses comply with them, it also involves the adherence to a raft of “best practice” recommendations. The main thrust of these recommendations is the use of digital and remote access systems that provide a secure “self-service” type approach. The GDPR does, however, recognise that this may not be suitable for all types of businesses so it is by no means a mandatory issue for compliance.
It would be naïve of business owners to miscalculate the costs involved in retrieving, packaging, and making available these “packages” of data and such a miscalculation could prove to be costly indeed. The hard truth is that the cost of providing such services is going to fall squarely into the laps of business owners and organisations. The new regulations only allow for fees to be charged where a request is deemed to be excessive, repetitive or fulfil other finite criteria.
The existing regulations gave data holders up to 40 days to respond to such request and although the new legislation has only shrunk that timeframe by 10 days to a maximum of 30, it could make a big difference. Thanks to an increased awareness concerning the new regulations on the part of the data subjects, it is feasible to expect the number of claims to surge after May 25th, 2018.
Despite businesses having some room to manoeuvre by extending the response timeframe by a further 2 months in the event of more complicated requests, they need to factor in the resources needed to handle them.
Any fears that business owners and organisation managers may be harbouring concerning getting bogged down with repetitive, unfounded, or excessive requests should be allayed under the new rules. Businesses and other data agencies will have recourse to charge fees in such circumstances and even refuse the request altogether.
In instances where such a request is refused, however, businesses should bear in mind that they will need to provide convincing reasons for the refusal to both the GDPR offices and the data subject. Businesses would be advised to think long and hard in this area as it is then likely to lead them and the data subject down the path to a judicial resolution.
Due to the ever-increasing volumes of personal data that is collected from data subjects, there is also likely to be a need for clarification by the subject, concerning the specifics of the data requested. In instances such as these, the respondent would be at liberty to request a finite request.
One of the key areas that the new GDPR addresses are that of personal data breaches. This should come as no big surprise considering that the main driver behind the revamped regulations is a heightening of the rights of the person in relation to their stored data. Businesses and organisations that need to comply with the new rules, therefore, are likely to place a great deal of emphasis on this specific area.
Bearing in mind the ramifications that data breaches can potentially have for both the data subjects and subsequently the business or organisation involved, it is also viewed as a top priority under the new regulations.
As with most of the actual nuts and bolts of the new legislation, it is left to the business owners themselves to ensure that systems are put into place that act to alert data controllers and processors to a possible data breach. Apart from allegations from outside of an organisation, the business itself is likely to be the main arena where a breach is detected.
There may be some ambiguity within the text of the regulations themselves concerning such questions such as “what constitutes a breach” and what is meant by “an undue delay”? The need for conformity to the regulations, however, acts to nullify such issues and businesses/organisations would be prudent to take the legislation at face value. The official document of the working party can be accessed here and article 29 gives details of the full text.
Once a breach has been detected, the GDPR offer the following guidelines for organisations and businesses:
· Breaches that may be considered as a risk to the data subjects should be notified within 72 hours of discovery (where feasible)
· High-risk data breaches should be communicated to the data subjects without “undue delay”
The potential penalties for an organisation that fails in its responsibilities to report a personal data breach can total up to 10,000,000 euros or 2% of the organisations global turnover. If that caused you to take a sharp intake of breath, then steady yourself for more of the same because there could be additional penalties for failing to take “adequate measures” to safeguard such personal data. These can be anything up to a staggering 20,000,000 euros or 4% of the annual global turnover (whichever is greater).
The guidelines of the new regulations highlight some specific types of sensitive personal data as “special categories” and as so regard them as posing a greater risk than others. For example, racial, ethnic, financial, I.D. documentation, political opinions, gender, sexuality, and religious or philosophical belief, are all categorised as special categories.
This area of the regulations also focuses on the potential consequences that such data breaches might have on the data subjects and it is likely that penalties will ride upwards with them. Fraud, theft, physical harm, humiliation, and damaged reputation, figure highly and these along with other factors would be taken into account.
One certainty that anyone reading this article will be fully aware of is that personal data breaches are likely to be expensive and even potentially ruinous to some small and medium-sized businesses. By their involvement in the process of “acquiring compliance”, businesses and organisations are already making one of the biggest strides in improving their situation in relation to personal data breaches.
Whether your organisation uses third party vendors or handles its own data collection and control, it is ultimately responsible for the data that it utilises. Through the ability to demonstrate that processes have been put in place to protect such data and by carrying out regular risk assessments, a business or organisation will already have the leading edge.
In the unfortunate event of suffering a personal data breach, it may be what follows it that adds the most value to your business or organisations.
A thorough review of your security measures, reporting guidelines, and the fitness of your compliance are likely to provide some building blocks in avoiding similar issues in the future. Learning from a breach and how it occurred is likely to play a pivotal part in strengthening the processes that have already been put in place to comply with the GDPR.
We believe that you will have found the articles in this series useful in assessing the readiness of your business and preparing it for the upcoming new European General Data regulations on 25th May. A brief review of the previous 4 articles could offer some fresh insight that you could apply to your specific business operation. They have covered everything from the general scope of the regulations to how they may affect certain business types, so please feel free to take a look back.