‘Serious’ is one of those words in the English language that has multiple meanings depending on context. When we suggest that you should take the GDPR (General Data Protection Regulations) seriously we do not mean that there is a chance that you might regard it as a source of great mirth or even hilarity; if only it were. No, we clearly mean that it has to be regarded as a matter that can have serious impact on your business and should, therefore, be taken, well, seriously.
As we have previously commented the GDPR could result in frankly eye-watering fines should you decide not only to flaunt its provisions but to do so in a mind-bendingly irresponsible manner. Do we think that the ICO (Information Commissioner’s Office) will ultimately use these extreme sanctions? Yes, it may well, one of these days. Will it use them as a matter of course? No, and we are confident in that assertion.
The thing to understand however is that the ultimate sanction is not the only risk to business under the terms of the GDPR, there are other, less obvious risks which any business contemplating the costs of GDPR compliance should take into account.
Allow us to introduce you to Vidal-Hall and others v Google. This was a claim brought against Google which alleged that Google had obtained information via cookies from the claimants browsing history (we’re simplifying obviously). Ultimately the UK Court of Appeal found in favour of the claimant, and the key finding, in this case, was that a claimant could bring a claim for damages where there was no demonstrable pecuniary loss. The core of the claimant’s argument was that their personal data had been misused because they had not explicitly given consent. Google didn’t exercise its right of appeal to the Supreme Court and settled, as a consequence the result of this case stands as precedent until such time as it is confirmed or overturned in the Supreme Court.
Rendering complex legal decisions in understandable terms is always a challenge. The upshot should be clear, however – if an organisation misuses a subject’s data they lay open to legal action for damages regardless of whether or not the claimant actually suffered financial loss. Such misuse would almost certainly include a data breach, an event which brings with it a host of potential pitfalls.
In the event of a breach, an organisation will lose control of some or all of its data, axiomatic we know but worth stating clearly. Someone else has access to it. Since you have a duty of care both under the existing law and under the GDPR that is a prima facie case of ‘misuse’. The reputational damage alone can be considerable, depending on the circumstances it could threaten the future of the organisation. If the breach is a notifiable event under the GDPR it becomes a matter of public record, limiting the scope to deal with the matter discreetly. Such actions as are taken need to be approached with the understanding that they are likely to be done in the glare of publicity, or at least under ICO scrutiny, which is arguably much the same thing.
Here’s a thought, and experience tells us it is not a natural one for anyone concerned with data security. Should a breach occur, you might want to seek legal advice as part of your initial forensic investigation into the circumstances. There is a compelling reason for this as it may result in the resulting report being classified as privileged information and therefore not subject to discovery should any of the data subjects decide to lodge a claim. Obviously, we are not lawyers but we do not doubt that specialists dealing with the GDPR and data matters, in general, will emerge. You should assume that there will be claims, especially if the organisation is well-known or the details of the breach particularly lurid. The considered opinion following on from Vidal-Hall and others v Google is that the UK will see an increase in claims for damages following data breaches. The provisions of the GDPR would suggest that more breaches will become matters of public record and we may all have to learn to deal with unsolicited phone calls asking if we were affected by the data breach at company “X”.
The intention in writing this piece was not to scare its readers; at this point, it has probably failed in that intention. Everyone in business knows that the world can be a scary place from time to time and the ever-changing world in which we all work can throw up new and unexpected challenges. Data security, the GDPR and the consequences of not examining the risks to your business are all serious matters. They are also, however, matters that can be addressed with foresight, planning and if necessary, specialist expertise. While the GDPR is new, it has been years in the writing and business has had to abide by the provisions of the Data Protection Act (DPA) and the Data Protection Directive for many years.
The concepts around securing data and ensuring its integrity are not new either, but the increasing emphasis on personal data is. Large organisations which are based on handling large amounts of personal or sensitive data have long-established procedures and infrastructure and while they will be affected by the GDPR, there is a certain element of “more of the same”. For smaller companies, this may not be true. Use of data has increased exponentially over the past decade; Facebook was only properly launched around 2005. Decreasing I.T. costs have allowed smaller concerns to make use of customer data in a way that was simply not cost effective until relatively recently. As a direct consequence, the GDPR will affect small and medium-sized companies, and it is vital that they understand this fact and prepare for it.
There is another argument in favour of the GDPR and not one we have seen put too often; it is the right thing to do. None of us wish to be in a situation where our own personal information is being misused or put to purposes we have not explicitly agreed to. That principle is at the heart of the GDPR, it embodies a set of standards that are deemed to be appropriate and it gives all EU governments the authority to enforce those standards to protect all of us. Whilst you may feel as if compliance is being forced upon you, you are also playing a vital role in ensuring that everyone can be a little more secure in the knowledge that their information, their data, is safer. Within the EU the GDPR is a little like immunisation; if everyone is protected to the same degree it becomes much, much harder for problems to occur, and the provisions of the GDPR do go a long way to achieving that. Like immunisation it is only effective if the maximum number of participants are involved, too many weak spots and the health of the entire population can be threatened.
No analogy is perfect, but each organisation is part of a whole; interconnected and interdependent as far as data processes and procedures are concerned to ensure that all of us benefit. The GDPR provision regarding vendor management and overseas data reinforce this view by imposing obligations on companies to ensure that they and their suppliers are compliant.
Who has to comply? There are no specific exclusions within the GDPR. If the only personal data you hold and process (a loose term which means many things) is your staff records, you have to comply. The regulation as written makes it clear that the GDPR applies to “personal data” – that is the emphasis, not on the organisations collecting and processing it. The ICO is a good primary source of guidance, starting here.
Failure to comply with the GDPR is really not an option, no matter how necessary or onerous it appears, especially to small businesses, however the steps and processes may not be as overwhelming as you might fear. We have a series of articles and papers on what the GDPR means to you in practical terms and we are more than happy to discuss your individual requirements in detail. If you would like a further introduction to the GDPR and the steps you need to take to comply we have a article you can read here.