Are you worried about complying with breaching data protection laws?
You should be! According to the latest figures from the Information Commissioner’s Office (ICO) analysed by PwC, the number and value of fines issued by the ICO for data protection violations has increased significantly in recent years.
In 2016, 35 fines were handed out worth £3.2 million, whereas in 2015, 18 fines were issued worth £2 million.
The ICO can currently issue fines of up to £500,000. When the General Data Protection Regulations come into force on 25th May 2018, fines of up to €20 million (about £16.75m) or 4% of annual global turnover (whichever is higher) could be imposed!
To avoid hefty fines, you need to make sure that you are complying with the Data Protection Act and preparing for the new Regulations.
The main changes of the General Data Protection Regulations are as follows:
- In cases of data breaches, for example an accidental loss of data, organisations must notify the relevant data protection authority without undue delay and where possible no later than 72 hours after the breach. Data subjects must also be informed without undue delay about breaches that could pose a high risk to their rights and freedoms.
- A subject may request that their data is deleted if there are no legitimate grounds for retaining the data. This is known as the ‘right to be forgotten’ or ‘right to erasure’.
- When a subject’s consent is required, they must be asked to give it by means of a clear affirmative action, such as a written statement. Silence or inactivity is not a sign of consent.
- In regard to subject access requests, employers can no longer charge a fee. The only exception to the general rule is if the request is “manifestly unfounded or excessive”. The employer must respond within one month. This may be extended in certain circumstances, for example, if the employer has to deal with a particularly complex issue.
- Organisations must appoint a ‘data protection officer’ if they process sensitive personal data on a big scale, or regularly and systematically monitor data subjects on a large scale.
The clock is now ticking, so make sure you are getting ready for the changes highlighted above. The ICO has prepared 12 steps to take in preparation for the Regulations next year, but if you have any concerns about data protection, contact your Employment Law Adviser who can guide you.