Now we all live in a post-GDPR world of data protection law, what does that really mean for businesses, and what do businesses really need to be looking out for and responding to?
Let’s assume that everyone has completed all of their GDPR compliance work, with suitable policies and systems already implemented and working with appropriate and regular review and governance. Data protection by design, and data protection by default, working as intended.
Is that the end of the story? No, obviously not.
The new data protection regime has shone a spotlight and turned up the dial on data protection rights and risk management. The day may come when data protection risk management becomes as instinctive as health and safety risk management, but that day is not today.
Even when that day does come, we are still dealing with a form of risk management. It doesn’t matter what you do to manage a risk, there is always a possibility that something will go wrong, or that someone will not agree with your approach. People can make mistakes, and others act maliciously, both putting your business at risk.
Getting your response right, in the face of data protection complaints, breaches or requests, is crucial for ensuring that your business doesn’t suffer any more damage or disruption than necessary.
Even if you are fully prepared with a set of policies and procedures to help you manage most normal data protection issues, there are still things that can (and probably will) happen to you, which may catch you off guard and heavily disrupt your business.
I have picked out what I consider to be the four most obvious examples below. Together with a few very high-level thoughts on what you need to be thinking about.
Data Subject Access Request (DSAR)
These have been around since 1998, but the rules around them have changed a bit since GDPR, including a new one-month response period. Probably more importantly, publicity around GDPR and data protection means that it is likely that the number of DSARs is likely to increase.
Responding to a DSAR is often a detailed and time-consuming task, but it is worth noting that you don’t necessarily need to disclose everything that is being asked for. There are categories of information that benefit from exceptions, and in some cases you may need the consent of someone else before you can disclose their information. In some cases you can request for an extension of time to respond, or charge administration costs.
There is, however, a narrow line to tread, because any intentional alteration (etc.) of the personal data is a criminal offence, for which both company and individual directors can be liable.
Data Security Breaches
A personal data breach that risks the rights and freedoms of individuals is reportable. The Information Commissioners Office (ICO) must be informed of that breach within 72 hours of your becoming aware of it. You risk large fines if you don’t comply with this obligation.
But there are still a couple questions that need to be answered:
Firstly, does the breach relate to “personal data”? and does the breach actually present a risk to the rights and freedoms of individuals?
Secondly, is there a HIGH risk to individual rights or freedoms? Because that is the situation in which you also need to notify those individuals.
The level of penalties that can be levied for breaching the reporting/notification requirements are such that any decision not to report or notify (all or part of) the data breach should be a Board level decision. If a decision is made not to report a breach, or not to notify individuals, then you will be expected to justify that decision – so it is important to document the decision and your reasons for it.
Complaint or Claim for a personal data breach
It is possible that the level of individual claims may increase. This is a particular risk following a breach report / notification, if claims-farming firms start to gather aggrieved individuals together for a group action.
The reason for this is that individuals can now claim compensation for “distress” alone, rather than having to show quantifiable financial loss (which was the case under the old law).
Tactically, individual claimants may make an isolated claim before reporting a matter to the ICO; and, tactically, it may be worth businesses addressing such claims early rather than incurring a greater risk of an ICO investigation, which could be very disruptive.
The starting point should be to look at such matters commercially, rather than from a principled position (even if you move to a principled position later). In the end, it is a legal claim with a threat of formal Court proceedings, so it needs to be handled as such.
Investigations by any regulators can be disruptive, and the ICO is no different. Businesses normally just need to respond to the requests of the ICO while they undertake their investigation.
Often (or at least pre-GDPR), the outcome will be that the ICO considers the business to have been compliant with data protection laws, but significant management time and disruption will have been taken up getting to that point.
What should businesses do?
These are complex areas, so it is impossible to be fully prepared for dealing with such matters; but very simply, businesses should do one of two things, with the same outcome.
Either a) ensure that the person in your business who is responsible for data protection compliance, is suitably equipped to identify and address these issues when they arise; or b) ensure that you have legal support on call to help you when an issue arises.