Lawgistics: GDPR – what was all the fuss about?
Nona Bowkis is a Solicitor at Lawgistics Ltd, and this month Nona has written this informative piece on GDPR for the Spidersnet blog…
The General Data Protection regulations (GDPR) came into force in May 2018. Prior to its implementation, GDPR warnings were everywhere, people were killing off their marketing databases and seeking consent regardless of whether they needed to or not. Since May, it’s all gone rather quiet, or has it?
Well no, the scare tactic marketing may have calmed down but GDPR and its lesser known UK equivalent namely the Data Protection Act 2018 (DPA) which came in to force on the same day, are alive and very much kicking. Here we take a look at some of the issues and fines which have already been raised and look at what you can do to avoid them.
REGISTERING AS A DATA CONTROLLER
First and foremost, if you are processing personal data (and you are likely to be if you deal with consumers), you need to register with the Information Commissioner’s Office (ICO) at:
There is a fee to pay which is dependent on the size of your organisation and starts at just £40 for micro enterprises. For SMEs, its £60 and for those with over 250 staff or a turnover of over £36 million, it is a fee of £2900. Payment by Direct Debit gets you a £5 discount – don’t spend it all at once!
A more useful benefit of paying by Direct Debit is that you won’t forget to renew as failure to pay the fee (and this includes renewals) is a civil offence and can attract a fine of up to £4350.
Within just 6 months of GDPR coming into force, the ICO had issued over 900 notices of Intention to Fine and over 100 penalty notices. And they will carry on issuing fines, as these fines help fund their ongoing work which is now undertaken by 670 staff.
SUBJECT ACCESS REQUESTS
Subject Access Requests or SARs are not new. However, where you used to able to slow the process down by requesting a £10 fee, you now only have one calendar month to respond to any request and, you can no longer charge a fee. This means you must have a system in place enabling you to retrieve data pretty quickly in response to a request.
Since GDPR we have seen an increase in the number of SARs being made and mostly they are from the sort of pesky consumer who just wants to be a pain, because they can.
GDPR and the DPA give any data subject, that’s you and me, the right to get a copy of all the personal data held by a company. This can include emails, CCTV footage and copies of recorded telephone conversations..
Nona Bowkis, Solicitor at Lawgistics Ltd
This may sound like an onerous task but nonetheless, it is something you need to think about when putting your policies in place.
If a SAR is complex, you can extend the response time by a further two months. If a person did ask for CCTV footage from 5 years previous, it is a legitimate response to go back to them and ask for specific dates and times to make it easier to find.
By now, everyone should have all their privacy policies in place. People visiting your website need to know what you do with their data
Nona Bowkis – Lawgistics
It is also possible to refuse to provide the data if you consider the request to be ‘manifestly unfounded’ or ‘excessive’. Now in the case of consumers asking for data just to cause grief because they cannot get what they want, we feel it is justified to say the request is manifestly unfounded. However, there is very little guidance on this matter and so ultimately it may fall to the ICO to decide in the event the consumer complains to them about a request refusal on that basis.
Lastly on the topic of SARs, you should not provide any data relating to a third party, as an individual is only entitled to a copy of their own data. You can seek the express consent of any third party or you can decide if it is reasonable to disclose the information without their consent, but the general rule is that people can only have their own data. This has already been an issue with consumers asking for copies of phone calls with sales people, usually because they want evidence of something which they say was promised to them.
Strictly speaking you can simply provide a copy of the consumer’s voice or a transcript of what they said as a SAR is simply a request for a copy of their data and not a backdoor way of getting evidence to support any complaint they may have.
If you are missing any of these, you can get a FREE GDPR pack complete with templates for all the above by emailing firstname.lastname@example.org. And, if you are a member of Lawgistics you get free access to www.hrmanager.co.uk which in addition to helping you manage all of your employment obligations, and your Health and Safety compliance checks, it will also help you with your ongoing obligation to comply with GDPR and the DPA.