GDPR Compliance – Essential steps to prepare your business for 25 May 2018
22 January 2018
The EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), comes into effect on 25 May 2018. The GDPR introduces a single legal framework across the EU for handling personal data. While many of the core principles and obligations remain unchanged under the GDPR, the GDPR does impose new and stringent additional requirements.
Examples of monetary fines under existing Data Protection legislation provide a stark illustration of the potential liability facing organisations in the event of a breach of data protection which may arise through innocent human error and not just cases involving a systemic failure:
- St George’s Healthcare NHS Trust was fined £60,000 after a vulnerable individual’s sensitive medical details were sent to the wrong postal address.
- Cheshire East Council was fined £80,000 after an email containing sensitive personal information was distributed to unintended recipients.
- The Belfast Health Trust was fined £225,000 in 2012 after thousands of patient and staff records were found abandoned in a disused hospital. The Information Commissioner imposed the fine because the trust failed to secure confidential files at Belvoir Park Hospital, which closed in 2006. The disused site became home to many vandals who broke in and stole confidential data. The thieves even posted some of the records on the internet, including X-rays and scans, in an attempt to sell the material.
- Northern Ireland's Department of Justice was fined £185,000 in 2014 for auctioning off a filing cabinet that contained personal information about victims of a terrorist attack. The locked cabinet was one of 59 sold off by the Compensation Agency in 2012. When the buyer forced it open, they found it contained documents about injuries suffered, family details, and confidential ministerial advice.
From May 2018, failure to comply with the GDPR provisions may result in much more substantial fines of up to €20million or 4% of the organisation's total worldwide annual revenue for the preceding financial year, whichever is higher (Article 83(5), GDPR).
Demonstrating compliance may help reduce the data controller's or data processor's risk of liability including administrative fines. A cornerstone of the GDPR is the new obligation to demonstrate compliance with its requirements. Whilst not an exhaustive list, the following provides an overview of basic steps that ought to be taken now to help demonstrate compliance with the GDPR's requirements.
- Compile a Register of Data Processing Activities.
- Update Data Protection policy and build data protection principles and measures into all existing policies and procedures across the organisation.
- Review and update all third party supplier/partner contracts.
- Update and plan to re-issue Privacy Notices.
- Conduct an Information Security Review.
- Review Document Storage and Retention Policy.
- Review Contracts of Employment and related HR Policies.
- Amend Subject Access Request Policy and Procedure.
- Introduce compulsory staff training in Data Protection on an annual basis.
- Plan ahead for mandatory data breach reporting to the Information Commissioner’s Office
- Create ongoing processes for Audit and Review
Organisations should obtain legal advice in relation to their organisation’s specific duties and responsibilities. Louise McAloon is a Partner specialising in employment law in Worthingtons Solicitors, Belfast. For legal advice or details of seminars and staff training packages available please telephone 028 90434015 or email firstname.lastname@example.org