Number of data breaches and fines on the rise, while many UK businesses remain oblivious to the GDPR

23 enforcement actions have been taken by the ICO since the beginning of January this year alone, fining companies up to £400,000 per offence for their failure to comply with the current data protection law. From the 25^th of May, depending on the infringement fines will go up extremely and will be up to either £10 million or up to £20 million.

The total value of fines has been over 4 times as much in 2018 compared to 2017. In January alone a record of £1.7 million was handed out in fines, compared to the 2017 monthly average of £400.000.

It is likely that the nearly 20% rise in reported data breaches is due to raised consumer awareness on data protection. Raised consumer awareness it he result of the sharp incline of media coverage and as seen by the incline for online searches for GDPR related articles by consumers.

Who is prepared

According to Forbes, only 8% of SMEs have completed their preparations for the regulation, which comes into effect 25th of May while The Financial Times have concluded that fewer than 1 in 10 small businesses in the UK are prepared for the new GDPR legislation. Even more shocking is the fact that almost 20% of businesses are unaware of the upcoming changes in data protection, and therefore will not be prepared.

Not only have data breaches costed businesses significant fines, it also has caused damage to consumer trust and reputation. The consumer perception of your business’ brand can even be permanently damaged, just think of the fallout after the data breach at ‘Ashley Madison’ in the US.

Protect your business from large fines and brand damage by ensuring you are adequately enforcing the new GDPR regulations, before it’s too late.

GDPR Information pack – What is GDPR

GDPR stands for General Data Protection Regulation and will come into effect from 25^th May 2018.

Hopefully by doing this it will help bring the data protection legislation in line with how data is currently being used/stored, therefore harmonising with the current Data Protect Act 1998.

This act is now 20 years old and as we all know a lot has changed in this time.

All companies will be affected by GDPR. For some it is already an extensive project as businesses rush to become complaint in time for May.

The GDPR comes with many new rules which can come with hefty fines.

It will also introduce new rights to individuals. This in turn will make consent much harder to gain, in regards to obtaining personal information in the first place. Further to this the current ‘automated decision making’ wil be abolished in favour of human intervention.

Why is GDPR being brought in?

As we live in a world that is fuelled intensely by the internet, it goes without saying that there is more data being held now more than ever. Couple this with the continuous added risk of cyber-attacks that occur on a regular basis. Its the purpose of GDPR to ensure that individuals who allow access to their data will understand much better what that data is used for. In addition they also have the right to know who is able to view it and how companies store that data. Furthermore, organisations have to ensure that all personal data is stored securely so individuals have the confidence that their data is safe.

It is the intent that the new GDPR rules will force companies to take a good look at the data they hold and ensure that it is up to date, accurate and secure.

It is also worth to remember that this extends past your own company and also touches on third parties that you supply personal information to.

For example

You outsource your payroll to another company. In this case you will need to ensure that you obtain their privacy notice and have a strong understanding of their GDPR efforts. They will need to comply with the same regulations as you. Failure to check your third party service providers’ privacy policies will leave you at risk.

There have been many discussions in regards to the fact that we are likely to exit the EU. This has some people questioning if they really need to do much in regards to GDPR for this reason.

However to clarify: we will still be in the EU come 25^th May 2018. We will therefore need to implement GDPR. For now at least.

Top tips to prepare for GDPR

Awareness – Make your staff aware of the upcoming legislation
Information you hold – Carry out a data map of all data you hold
Communicate privacy information clearly – Ensure you have a privacy notice
Individual rights – Make sure you’re aware of the new rights all individuals will have
Subject access requests – Update your subject access request policy
Legal basis for processing personal data
Consent – Make sure you are up to date on the new rules for consent
Breaches – Ensure you have set up policies outlining processes for contacting the ICO in regards to any breaches
Data protection by design and data protection impact assessments
DPO or Data Protection Officers – Appoint a DPO if necessary

How we help companies with GDPR

Deliver GDPR training to your management and staff
Review and amend your HR policies and procedures
Draft GDPR compliant HR documentation
Advise you on potential breaches
Support should you receive a subject access request

Trainer information

Our senior employment law adviser Natasha Lawless has over 9 years’ experience in the employment law sector and is the data protection adviser here at PeoplePointHR. She currently carries out GDPR training sessions to a number of clients and delivers them in a jargon-free manner. She aims to make a somewhat ‘dull subject’ as interesting as possible!

Whilst drafting the content of the training Natasha understood that with GDPR being such an extensive subject it could come across quite overwhelming. Therefore her training session is broken it down into bite-size chunks which make it easier to digest.

There is always time at the end of a session for questions and answers. The response that we have had from our client AWH Legal who she has recently delivered GDPR training to demonstrates how useful they have found it.