Understanding the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, both of which make up the current data protection legislation, as well as the implications placed upon employers in respect of the same, is vital and cannot be ignored. In this modern age, the significance of data protection law continues to grow as it provides fundamental protection to individuals and businesses alike.
We can assist you in navigating this complex area of law, ensuring that your employee’s data is protected and that you are complying with the current data protection legislation. We can further assist you in ensuring that your employees have clear and express instructions as to how they are to handle data.
We can also support you in the event of a data breach as we understand that the financial and reputational damage that can be caused by a data breach may have devastating consequences to you and/or your business.
Our specialist team can provide you with comprehensive and well-rounded expert legal advice on GDPR compliance, as well as how to deal with the Information Commission’s Office (ICO) where necessary.
What is the General Data Protection Regulation (GDPR)?
The GDPR (together with the Data Protection Act 2018) controls how organisations collect, use and store the personal information of individuals (including employees). The GDPR applies to all businesses operating in the European Economic Area (as well as businesses outside which offer goods or services to people based in the Area). In the UK, the Information Commissioner’s Office (ICO) is the regulatory body that deals with compliance with the GDPR.
There are seven principles of the GDPR that businesses should seek to follow:
- Lawfulness, fairness and transparency: You must collect, use and store all personal data legally and fairly. You must also publish a privacy notice detailing how you use individual’s data
- Purpose limitations: You must only use the data, that you hold, in the way outlined within your privacy notice (or for new purposes that are compatible with your privacy notice)
- Data minimisation: You must only collect, and store, data that is relevant and necessary for those purposes that are set out in your privacy notice
- Accuracy: You must ensure that data is correct when you collect it, and kept up-to-date, whilst in storage. You must also delete any incorrect, and out-of-date, data
- Storage limitation: You should only keep data for as long as it is necessary for those purposes outlined in your privacy notice. You must securely destroy data once it’s no longer needed
- Integrity and confidentiality: You must store all data in a confidential and secure manner
- Accountability: You must document how you comply with the other six principles through policies and procedures.
What is a data breach?
A data breach is the leaking or unlawful accessing of personal data records held, and maintained, by a business. A data breach may be accidental or due to intentional criminal activity.
It may be something as small as an email being sent to the wrong person, or a large scale system hack of an organisation’s entire server.
Whatever your circumstances, data breaches can have far-reaching consequences and, in many cases, they can affect the security of the individuals involved (which, at worst, could lead to identity theft or access to bank accounts).
Regardless of what individuals are affected by a data breach, it should be treated with utmost seriousness and dealt with as quickly as possible to limit any effects.
What to do in the event of a data breach
In the event of a data breach, you must act quickly as businesses have 72 hours to report the breach to the Information Commissioner’s Office (ICO). Failing this, the business can incur a maximum fine of up to £8.7 million or 4% of the business’s yearly turnover – whichever is highest.
Following a notification to the ICO, businesses should seek to cooperate with the ICO to identify the cause of the data breach, to recover any information lost and to take steps to prevent further data breaches. The ICO will assist in conducting the investigation, but it is the business’s responsibility to seek to reduce the impact of the breach on the parties whose data was leaked, and to improve its security.
Should you be in the position of identifying a data breach, we can provide swift advice to you as to your immediate obligations (including reporting to the ICO), as to any notification obligations within regulated sectors and assist you in dealing with the reputational impact of the breach.