|Of relevance to:||All firms controlling or processing personal data|
|Key date:||Applicable from 25 May 2018|
The biggest change to Europe’s Data Protection rules in 20 years will come into force in May 2018. The General Data Protection Regulation (“GDPR”) will give people new rights to access the information companies hold on them, require firms to better manage the data they have and bring new (and potentially much higher) fines.
Having been discussed for the past four years, companies will need to be ready to adhere to the rules under GDPR from 25 May 2018.
Under GDPR, individuals will have the right to access their personal data and supplementary information, as well as the right to be aware of and verify the lawfulness of the processing of their data. Customers will also have the ‘right to be forgotten’ and to have their data erased from a company’s records. It will become essential for a company to not only know whose data they hold, but what that data includes.
According to a data audit by W8 (specialists in data and marketing), up to 75% of the UK’s marketing data will become obsolete under GDPR. To use existing data, companies will need a fully documented permission trail, including the reason the data is needed and source of the consent.
Data Management Obligations
Once GDPR comes into effect, companies will have to put into place comprehensive but proportionate governance measures.
Tools such as data protection impact assessments (“DPIAs”, also known as privacy impact assessments or “PIAs”) and privacy by design will be legally required. The aims of these new tools are to minimise the risk of data breaches and uphold the protection of customer’s personal data. It comes down to companies having adequate processes and procedures in place that promote accountability and governance.
Infringements and Fines under GDPR
Based on the new infringement and administrative fine rules, companies will likely see enforcement action rise from hundreds of thousands to millions of Euros. As the rules state, depending on the nature, gravity and duration of the infringement, the company at fault could be fined either:
- up to 10,000,000 EUR or 2% of the total worldwide annual turnover, whichever is higher; or
- up to 20,000,000 EUR or 4% of the total worldwide annual turnover, whichever is higher.
It gets a lot more interesting when you look at recent fines and see how they would look if GDPR was in effect.
Here are a few examples:
Royal & Sun Alliance Insurance PLC
Royal & Sun Alliance Insurance PLC (RSA) were fined £150,000 following the loss of the personal information of nearly 60,000 customers.
According to their 2016 annual report, group revenue for 2016 was £6.4 billion. This would make their maximum GDPR fine £256 million, meaning that the fine could possibly increase from £2.50 per piece of data lost to £4,266 per piece – an increase of 170,540%.
Vanquis Bank Limited
Vanquis Bank Limited instigated a campaign to send 870,849 spam text messages and 620,000 spam emails to promote its credit cards.
Both the emails and texts broke the law because the recipients had not consented to being sent such messages. Vanquis Bank was fined £75,000. According to Vanquis Bank Limited’s 2016 annual report, their revenue was £589.4 million. Under GDPR, the fine could have been up to £23.5 million.
TalkTalk Telecom Group PLC
TalkTalk Telecom Group PLC were fined £100,000 after it failed to look after its customers’ data and risked it falling into the hands of scammers and fraudsters.
According to their 2016 annual report, TalkTalk Telecom Group PLC had a revenue of £1.838 billion meaning that if GDPR were in effect, the fine could have been as much as £73.52 million.
The significant nature of the fines could make a lot of smaller companies sit up and think ‘is my customer data really worth losing my business over?’
Moving forward under GDPR
GDPR may be a daunting prospect but it can be a good catalyst and opportunity for change. To get your business in good order, don’t delay your preparation. Auditing your data and running discovery exercises are essential leading into GDPR and at regular intervals thereafter. Don’t feel that you need to have all the data currently in your system. If it is not needed, consider getting rid of it. Finally, don’t assume that you have the rights to the data you need. With the enhanced customer data provisions, you will need to evidence the need for the data.
Do you have concerns around your data and the effects of GDPR?
Are you concerned how GDPR may affect your company? Contact Complyport today at firstname.lastname@example.org for a quick chat on how we could assist you through this daunting time.