The EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), comes into effect on 25 May 2018. The GDPR introduces a single legal framework across the EU for handling personal data. While many of the core principles and obligations remain unchanged under the GDPR, the GDPR does impose new and stringent additional requirements.
Examples of monetary fines under existing Data Protection legislation provide a stark illustration of the potential liability facing organisations in the event of a breach of data protection which may arise through innocent human error and not just cases involving a systemic failure. St George’s Healthcare NHS Trust was fined £60,000 after a vulnerable individual’s sensitive medical details were sent to the wrong postal address. Cheshire East Council was fined £80,000 after an email containing sensitive personal information was distributed to unintended recipients. Closer to home, the Belfast Health Trust was fined £225,000 in 2012 after thousands of patient and staff records were found abandoned in a disused hospital. The Information Commissioner imposed the fine because the Trust failed to secure confidential files at Belvoir Park Hospital, which closed in 2006. The disused site became home to many vandals who broke in and stole confidential data. The thieves even posted some of the records on the internet, including X-rays and scans, in an attempt to sell the material. Northern Ireland's Department of Justice was fined £185,000 in 2014 for auctioning off a filing cabinet that contained personal information about victims of a terrorist attack. The locked cabinet was one of 59 sold off by the Compensation Agency in 2012. When the buyer forced it open, they found it contained documents about injuries suffered, family details, and confidential ministerial advice.
From May 2018, failure to comply with the GDPR provisions may result in much more substantial fines of up to EUR20 million or 4% of the organisation's total worldwide annual revenue for the preceding financial year, whichever is higher (Article 83(5), GDPR).
Whilst human error is a fact of life in any business, demonstrating compliance will help reduce the data controller's or data processor's risk of liability including administrative fines. A cornerstone of the GDPR is the new obligation to demonstrate compliance with its requirements. Whilst not an exhaustive list, the following provides an overview of 10 essential steps that ought to be taken now to help demonstrate compliance with the GDPR's requirements.
Compile a Register of Data Processing Activities
Organisations should obtain specialist advice in relation to their organisation’s specific duties and responsibilities. Louise McAloon is a Partner in Worthingtons Commercial Solicitors, Belfast. For legal advice or details of seminars and staff training packages available please telephone 028 90434015 or email email@example.com.