Understanding and managing GDPR risks

Horror stories and negative opinions about GDPR have been around since the regulations were introduced - that it’s an administrative nightmare and any breach will result in a huge fine. The reality is completely different. It is a set of regulations designed to protect individuals’ personal data, which are straightforward to manage with sensible policies and risk management procedures

Introduction to GDPR

The General Data Protection Regulation, better known as GDPR sets out clear duties on businesses that hold personal data about individuals. The rules apply both to the ‘data controller’, the body which holds the data, and ‘data processors’, organisations which process data on behalf of the controller.

GDPR was introduced by the EU in 2018 and was retained in UK law following Brexit under the Data Protection Act 2018. It grants rights to individuals about how their personal information is held and used. It is regulated in the UK by the Information Commissioner’s Office (ICO).

Legal Basis for Data Holding 

An organisation can only hold data about individuals if it has a legal basis to do so. There are six bases:

1. Consent of the individual
2. Processing is necessary for the performance of a contract
3. Compliance with a legal obligation
4. For the protection of the vital interests of the individual
5. In the public interest
6. The legitimate interest of the data controller

Handling Sensitive Personal Data

Additional restrictions apply to more sensitive personal data such as health, gender, sexual orientation and other special categories. So, if you are active in a business which collects such data, greater care is needed to collect, store and use this information.

Individual Rights 

Individuals have the right to access data you have about them and can require you to correct or delete information you hold. 

Data Relevance and Retention 

Critically you can only hold data which is relevant and necessary to enable you to carry out your work and it should be kept for no longer than is necessary. This is where it is easy to trip up and breaches of the regulations commonly occur where data used for one purpose, say to administer a contract or undertake a survey, is then used for an unrelated purpose, such as generating an email marketing list.

Case Study: Cambridge Analytica Scandal  

A highly publicised example of this was the infamous Cambridge Analytica scandal. Cambridge Analytica paid thousands of people to use an app to take personality tests and to have their data collected for academic use. However, unbeknown to the users, the app also collected data on their Facebook friends. This harvested millions of peoples’ data which was used to profile US voters in the 2014 election. When the scandal broke, Facebook was fined $5 billion, and Cambridge Analytica closed its operations.

Common GDPR Breaches  

Other common breaches of GDPR include information going to the wrong recipient, loss or theft of devices with unencrypted data, incorrect transfer of data in case management or hackers stealing and misusing data.

Consequences of Breaches 

Reckless behaviour can result in huge fines. British Airways was fined over £20m by the ICO when hackers broke into the airline’s systems and harvested data. Over 400,000 customers and staff were affected.

ICO’s Approach to Enforcement  

But the ICO itself says it is “unlikely to take enforcement action against any organisation genuinely seeking to comply with the provisions of the legislation.”  It says it works with organisations to find a resolution to data breaches through the development of improvement plans.

Best Practices for Data Protection 

The best course for any business is to take steps to protect customers’ data so an investigation by the ICO is never required. Ensuring good data management and security for your clients is good business practice and there are several simple steps you can take to protect them and your business.

Appointing a Data Protection Officer 

While it is not a legal requirement to appoint a Data Protection Officer, it is good practice at the very least to make a senior individual responsible for data. It’s important to ensure they are adequately trained and empowered to protect individuals’ data within your organisation.

Legal Basis and Data Segregation  

Be careful to ensure that any data you hold falls within one of the six legal bases and do not allow this data to become ‘mingled’. Watch out for old email lists or contact information held on colleagues’ local hard drives.

Privacy and Staff Policies 

Develop and implement a clear privacy policy which sets out how you hold and use individual’s data. It’s a good idea to publish this on your company’s website for clients to read if they wish. Also, develop staff policies which clearly set out how colleagues should manage and protect individuals’ data.

Access Control  

Ensure that only relevant staff members can access information about individuals which is necessary for their work. For example, not everyone in your firm needs to access information about a client’s case which may contain highly sensitive and personal information.

Data Review and Deletion 

Set clear dates to review and delete data. It’s amazing how easy it is to hang onto data, some of which may be completely out of date. But make sure you hold client data long enough to be able to defend any possible future legal challenges. Six or seven years should be sufficient in most cases under limitation legislation, but there are circumstances under when longer periods may be prudent.

Sharing Information with Third Parties 

Many businesses legitimately share information with third parties to undertake work for their individual clients. If you do make sure you have clear contracts with any third parties and ensure they have robust procedures to ensure their own compliance with GDPR.

Data Security

Finally, ensure data is held securely on systems and is safe from hackers, with regular reviews of data security. We know from stories in the media how sophisticated hackers have become and it is impossible to guarantee complete security. By keeping your systems up to date, you minimise the risk of a data breach.

Of course, these steps cannot guarantee you will never face an investigation by the ICO. But by having all the right policies and procedures in place the risk is greatly reduced and you also have an excellent defence in the event of an investigation.